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Defining  the  CSO  and 
CSO  Magazine  of  the  Future 

If  you  went  back  about  10  years  and  took  stock  of  your  role 
as  a  security  professional,  how  different  were  your  priorities  and 
responsibilities  back  then? 

Many  of  you  were  likely  focused  on  perim¬ 
eter  security  and  firewalls — keeping  people  out 
of  your  network.  The  idea  that  a  great  deal  of 
sensitive  corporate  data  would  soon  be  head¬ 
ing  out  the  door  every  day  on  employee-owned 
mobile  devices  likely  never  even  occurred  to 
most  of  you  in  those  days. 

Many  of  you  may  have  been  focused  ex¬ 
clusively  on  information  security  or  physi¬ 
cal  security,  with  little  blending  of  the  two 
disciplines  at  the  time,  even  within  corporate 
walls.  Many  readers  might  not  even  have  been 
in  security  10  years  ago,  as  the  industry  has 
exploded  in  the  last  decade.  Now  those  of  you 
reading  may  have  security  titles  that  didn't 
even  exist  back  then. 

This  month,  CSO  contributor  Bob  Violino 
explores  just  how  much  things  have  changed 
in  security,  and  where  things  are  headed.  What 
will  be  the  priorities  of  the  CSOs  and  CISOs  of 
the  future?  What  skills  and  background  will  one 
need  to  remain  relevant  in  this  profession  as  we 
head  into  the  next  decade? 

This  focus  ties  in  very  closely  with  what  is 
happening  here  at  CSO.  As  editor  of  CSO  maga¬ 
zine,  I  have  often  felt  that  I  wear  two  hats-one 
as  a  security  professional,  and  one  as  a  publish¬ 
ing  professional.  And  just  as  we  have  witnessed 
the  evolution  of  the  role  of  CSO  and  the  security 
industry  itself,  we  have  also  seen  dramatic 
changes  in  the  world  of  publishing. 


CSO  magazine  is  now  heading  into  the  fu¬ 
ture  focused  exclusively  on  digital  and  online 
publishing.  You’re  holding  in  your  hands  the 
final  paper  copy  of  CSO.  But  really,  not  much  is 
changing  here  at  the  publication.  We  will  con¬ 
tinue  to  provide  you  daily  with  timely,  insightful 
and  in-depth  coverage  online  at  CSOonline.com. 
We  will  continue  with  our  commitment  to  cov¬ 
ering  what’s  important  to  security  and  risk  pro¬ 
fessionals  today  and  10  years  from  now.  There 
has  never  been  a  more  exciting  time  to  be  in  the 
security  profession.  As  the  industry  continues  its 
march  into  the  future,  we  here  at  CSO  are  look¬ 
ing  forward  to  evolving  with  you. 

-Joan  Goodchild,  Editor, 
jgoodchild@cxo.com 
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When  Leadership  Gets  on  Board 

I  had  a  deep  discussion  recently  with  several  CSOs  about 
why  the  board  of  directors  suddenly  understands  the  importance 
of  cybersecurity. 


For  years,  boards  thought  “security”  meant 
"spend  lots  of  money  and  get  nothing  in  return.” 
Suddenly  this  seems  to  be  changing.  But  why? 

In  the  middle  of  this  discussion,  lubricated 
with  plenty  of  wine,  scotch  and  red  meat,  some¬ 
one  said,  “My  CEO  came  back  from  Davos  this 
year  with  a  whole  new  sense  of  urgency  around 
cybersecurity.”  Another  noted  that  her  CEO  had 
returned  from  Davos  the  year  before  having 
“found  religion.”  They  were  referring  to  the  annu¬ 
al  meeting  of  the  World  Economic  Forum  (WEF) 
each  winter  in  Davos,  Switzerland.  It’s  a  gather¬ 
ing  of  leaders,  both  political  and  business,  who 
come  together  to  discuss  some  of  the  world's 
most  pressing  issues.  Apparently,  something 
was  up  at  Davos,  so  I  decided  to  check  it  out. 

In  2012,  these  leaders  decided  that  cyberse¬ 
curity  was  a  critical-enough  economic  issue  that 
it  needed  to  be  addressed,  because  ignoring  it 
poses  a  significant  risk  to  the  global  economy. 
That  year  they  created  the  Partnering  for  Cyber 
Resilience  Initiative,  whose  mission  was  to 
investigate  the  issue  and  report  back  the  fol¬ 
lowing  year.  In  2013,  in  addition  to  agreeing  that 
the  greatest  cyber  risk  comes  from  mobile  de¬ 
vices,  the  initiative  also  said  that  cybersecurity 
needs  to  be  a  regular  item  on  the  agenda  of  the 
board  of  directors.  As  the  group  put  it,  “Cyberse¬ 
curity  must  be  hard-wired  into  [the]  manage¬ 
ment  practice  throughout  the  organization-like 
brushing  your  teeth.”  It  was  at  this  point  in  my 
research  that  things  became  clear. 

Fast  forward  to  January  of  2014,  this  year’s 
meeting  in  Davos.  The  WEF,  in  partnership 
with  McKinsey  and  Co.,  issued  its  report  “Risk 
and  Responsibility  in  a  Hyperconnected  World” 
(http://bit.ly/ldREsgx).  In  addition  to  outlining 
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the  challenges  posed  by  cybersecurity  and  of¬ 
fering  a  proposed  framework  for  addressing  the 
challenges,  it  projects  that  by  2020,  the  total 
economic  cost  of  ineffective  security  will  top  $3 
trillion  globally.  This  number  is  getting  every¬ 
one’s  attention  because  it  looks  not  only  at  di¬ 
rect  losses,  but  also  at  unrealized  value  creation 
as  businesses  and  individuals  avoid  “digitiza¬ 
tion”— or  the  adoption  of  technology. 

The  Partnership  for  Cyber  Resilience  is  head¬ 
ed  in  the  right  direction  and  is  achieving  things  I 
didn’t  think  were  possible:  getting  the  attention 
of  senior  management.  But  not  every  company 
or  board  pays  attention  to  what’s  happening  at 
Davos,  and  that’s  unfortunate.  If  your  leader¬ 
ship  needs  a  little  push  in  understanding  the 
importance  of  cybersecurity,  please  share  the 
WEF-McKinsey  report  with  them. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 
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Try  Damballa  free  for  30  days  at 
damballa.com/failsafe 
800.820.4527 


Let’s  face  it.  Some  nasty  threat  will 
eventually  breach  your  IT  defense. 
Question  is,  what  can  you  do  about  it? 
Instead  of  firing  alerts,  Damballa 
identifies  successful  infections  -  then 
gives  you  actionable  information  to 
contain  and  eliminate  them  before 
real  damage  is  done.  It’s  a  smarter 
defense  based  on  nearly  a  decade  of 
data  science  and  more  data  records 
than  a  Gigabyter  can  count.  So  you 
can  be  prepared  for  whatever  threats 
are  dreamed  up  next. 


TOOLS  SYSTEMS  NETWORKS  DATA  PRIVACY 


You  Need  to  Get  Creative  With 
Pen  Testing.  Here’s  How  to  Do  It. 

Criminals’  techniques  for  hacking  and  breaching  corporate  assets  are  rapidly  evolving, 
and  security  managers  must  find  a  way  to  keep  up  by  maria  korolov 


SECURITY  PROFESSIONALS  HAVE 
long  been  running  penetration  tests  to  find 
weaknesses.  The  bad  guys,  however,  aren't 
limiting  themselves  to  perimeter  attacks. 
They’re  using  spearphishing,  phone  calls,  on¬ 
site  visits  and  other  methods  to  steal  data. 

“As  cybercriminals  evolve,  we  must  as  well,” 


says  Demetrios  Lazarikos,  security  strategist 
and  former  CISO  for  Sears  Online. 

Spearphishing 

Everyone  knows  not  to  click  on  misspelled, 
unsolicited  emails  from  foreign  royalty,  but  to¬ 
day’s  adversaries  are  smarter.  Their  emails  use 


proper  English  and  are  indistinguishable  from 
real  corporate  communications. 

“Let’s  say  that  there  is  a  press  release  that 
goes  public  that  says  that  company  XYZ 
has  just  switched  its  health  provider  to  Blue 
Cross  Blue  Shield,"  says  Bob  Walder,  founder 
and  chief  research  officer  at  NSS  Labs.  “The 
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bad  guys  are  going  to  look  at  that  and  say, 

'All  right,  company  XYZ,  I’m  going  to  send  an 
email  and  spoof  it  so  that  it  looks  like  it  came 
from  Blue  Cross  Blue  Shield,  and  says  some¬ 
thing  like,  “Do  you  need  help  with  your  enroll¬ 
ment?”  It  will  be  relevant  to  your  employees.'” 

Defending  against  this  kind  of  attack  is 
more  a  matter  of  user  education  and  than 
technology,  he  says. 

After  the  initial  education  campaign, 
Walder  recommends  a  nonthreatening  testing 
strategy,  such  as  showcasing  employees  who 
were  impervious  to  scams.  “You  don’t  want  to 
set  yourself  up  as  an  adversary,”  he  says.  “You 
can  make  it  lighthearted,  give  out  prizes.  So 
people  doing  the  dumb  stuff  don’t  get  called 
out,  but  they  think  if  they  make  an  effort  they 
might  win  next  time.” 

Another  benefit  of  a  positive  approach  to 
pen  testing  is  that  it  ensures  top  management 
isn’t  caught  up  in  the  net  and  publicly  embar¬ 
rassed.  “It’s  ironic,  but  most  of  the  time  it’s 
the  senior  execs  and  the  CIOs  who  don't  have 
time  to  read  email,  and  they  scan  something 
and  click  without  thinking,”  he  says. 

One  company  using  targeted  emails  is  Cen¬ 
tury  Bank.  “We  attempt  to  phish  and  social 
engineer  our  users  several  times  a  year,"  says 
Adam  Glick,  the  bank’s  information  security 
officer.  “The  assessment  includes  setting  up 
a  fake  internal  Web  server,  adjusting  internal 
DNS,  and  sending  out  a  spoofed  email  luring 
users  to  change  their  expiring  password  or 
claim  their  free  millions  of  dollars.” 

Beyond  Phishing 

Century  Bank  doesn’t  stop  at  emails. 

Penetration  testers  will  call  employees  pre¬ 
tending  to  be  from  IT  and  ask  for  their  pass¬ 
words,  or  try  to  enter  secure  areas  dressed  as 
employees  or  maintenance  workers. 

“These  tests  are  becoming  paramount  as 
phishing  and  social  engineering  are  becoming 
ever-increasing  avenues  for  malicious  players,” 
Glick  says.  “Proactively  training  your  users  and 
empowering  them  to  recognize  these  scams  is 
decidedly  your  best  defensive  weapon.”  Glick 
says  his  bank  uses  an  outside  service,  Tower- 
wall,  to  do  the  testing. 

OneBeacon  Insurance  Group  also  uses  a 


third-party  testing  service,  NTT  Com  Security. 

"Typically,  we  think  of  testing  attacks  di¬ 
rected  at  computer  systems,  but  for  a  while 
we  have  known  that  it  is  much  easier  to  at 
least  start  the  attack  vector  by  focusing  on 
the  social  engineering  aspects,”  says  OneBea¬ 
con  CISO  Joseph  Topale.  “Several  years  ago, 
our  penetration  test  was  expanded  and  con¬ 
tinues  to  expand  to  cover  the  emerging  social 
engineering  pieces.” 

These  days,  that  includes  not  only  phishing 
emails,  but  also  phone  calls  and  custom-built 
spoof  websites,  he  says. 

It  can  get  even  more  creative.  Chris  Camejo, 
director  of  assessment  services  at  NTT  Com 
Security,  recalls  a  client  focused  on  physical 
security  in  sensitive  areas  of  its  facility. 

“What  they’ve  done  is  have  a  program  set 
up  where  they’ll  give  someone  a  $100  bill  and 
have  them  go  into  a  secure  area  without  a 
badge  on,”  he  says.  “The  first  person  who  says, 
'Where’s  the  badge?’  gets  the  $100  bill.” 

“We  attempt  to  phish 
and  social  engineer 
our  users  several 
times  a  year.” 

-ADAM  GLICK,  INFORMATION 
SECURITY  OFFICER,  CENTURY  BANK 

This  is  an  important  part  of  security  testing 
because  it  can  be  very  easy  to  get  into  secure 
areas,  Camejo  says. 

“If  you  have  a  cup  of  Starbucks  in  one  hand 
and  a  Blackberry  in  your  ear  and  you  just  wag¬ 
gle  your  elbows  at  the  door  and  look  pathetic, 
they’ll  let  you  in  because  it’s  obviously  a  really 
important  phone  call.” 

Even  companies  that  don’t  have  critical 
systems  on-site  may  not  understand  how 
much  important  data  can  be  accessible  to 
someone  who  just  walks  in.  “Companies  don't 
realize  how  much  information  they  leave 
lying  around  the  office,”  he  says.  “Backup 
tapes,  laptops,  authentication  tokens,  keys. 
There’s  so  much  stuff  that  people  leave  sitting 
around-l’ve  seen  boxes  of  microfiche  docu¬ 
ments  with  reams  of  Social  Security  numbers 


on  them  just  sitting  on  people's  desks.” 

Some  companies  have  other  avenues  of 
access,  which  a  determined  hacker  can  find. 

"We’ve  been  called  in  on  forensic  engage¬ 
ments  on  financial  institutions  that  pre¬ 
formed  wire  transfers  initiated  by  faxes  sent 
in  by  the  appropriate  individuals,  signed  by 
apparently  the  right  person,”  says  Mike  Weber, 
vice  president  of  security  vendor  Coalfire  Labs. 

Multi-Pronged  Attacks 

When  one  approach  doesn’t  work  alone  and 
a  target  is  particularly  attractive,  hackers  will 
layer  their  attacks.  To  guard  against  this,  pen¬ 
etration  testers  must  layer  their  attacks  too. 

Take,  for  example,  Core  Security  Consulting 
Services,  a  pen  testing  vendor  hired  to  break 
into  a  credit  card  payment  processing  compa¬ 
ny.  The  team  got  as  far  as  the  database  files 
but  only  had  a  day  to  figure  out  where  the 
credit  card  numbers  were  stored,  and  there 
were  too  many  files  to  go  through  them  all. 

“One  of  us  went  to  a  restaurant  to  buy 
some  sandwiches  and  sodas,  and  the  other 
one  ran  a  text  search  looking  for  our  credit 
card  number  in  the  files,”  says  Diego  Manuel 
Sor,  manager  at  Core  Security.  “We  didn’t  have 
to  check  all  the  files,  just  the  last  kilobytes.” 

A  penetration  test  can  also  have  several 
layers  right  from  the  start. 

“A  lot  of  companies  request  a  specific  type 
of  social  engineering  test,  such  as  phishing 
or  pretext  calling,  or  physical  social  engineer¬ 
ing,  where  we  talk  our  way  into  a  secure  area,” 
says  Coalfire’s  Weber.  “We  find  that  those 
threats  by  themselves  are  easy  to  identify  and 
question.  But  when  we  blend  them,  we  get 
a  whole  lot  better  success.”  For  example,  a 
physical  infiltration  might  be  preceded  by  an 
official-looking  email  announcing  the  visit. 

“A  blended  social  engineering  attack  tends 
to  be  a  weak  spot,”  says  Travis  Howe,  director 
of  security  and  compliance  at  Conga,  a  docu¬ 
ment  management  company.  “Unfortunately, 
if  someone  wants  to  compromise  the  organi¬ 
zation...!  don’t  have  the  purview  of  choosing 
how  I’m  going  to  be  attacked.” 


■  Maria  Korolov  has  covered  emerging 
technologies  and  markets  around  the  world. 
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Time  to  Modernize  in  the  Fight  Against  Malware 


A  RECENT  ANALYSIS  OF 
network  traffic  in  thousands  of  or¬ 
ganizations  found  that  the  majority 
of  them  were  hosting  malware  and 
bots,  a  clear  signal  that  it  is  time 
for  companies  to  move  quickly  to 
modern-day  methods  of  detecting 
malicious  software,  experts  say. 

A  recent  report  on  the  analy¬ 
sis  performed  by  security  vendor 
Check  Point  Software  Technologies 
had  enough  scary  bullet  points  to 
keep  most  CSOs  up  at  night.  Two 
of  the  most  troubling  were  that  84 
percent  of  the  organizations  had 
systems  infected  with  malware  and 
nearly  three-fourths  of  the  study's 
subjects  had  at  least  one  bot  on 
their  network. 

These  standalone  numbers,  particularly 
on  infection  rates,  do  not  necessarily  indicate 
a  serious  problem  because  not  all  malware 
is  the  same.  Some  types  are  far  more  serious 
than  others. 

“Malware  percentages,  malware  infection 
counts  and  all  those  kinds  of  things  are  some¬ 
what  nebulous  in  nature,"  says  Tyler  Shields, 
analyst  for  Forrester  Research.  “It  is  some¬ 
times  hard  to  define  exactly  what  an  infection 
is  and  exactly  what  a  piece  of  malware  is.” 

What  is  troubling  in  the  2014  Security  Re¬ 
port  is  the  trends.  Check  Point  found  that  the 
percentage  of  organizations  at  which  mal¬ 
ware  had  been  downloaded  at  least  every  two 
hours  had  more  than  quadrupled  in  the  past 
year-from  14  percent  in  2012  to  58  percent 
of  in  2013. 

The  study  also  found  that  the  percentage 
of  organizations  harboring  a  bot  increased  to 
73  percent  from  63  percent  year  to  year,  and 
77  percent  of  the  bots  were  active  for  more 
than  four  weeks. 

What  these  numbers  show  is  that  tra¬ 
ditional  signature-based  security,  such  as 
antivirus  software,  “is  dead,”  as  Brian  Dye,  Sy¬ 
mantec’s  senior  vice  president  for  information 


security,  told  The  Wall  Street  Journal. 

“We  don’t  think  of  antivirus  as  a  money¬ 
maker  in  any  way,”  Dye  said. 

That’s  a  telling  statement  from  a  company 
whose  business  depended  on  selling  antivirus 
software  for  more  than  two  decades. 

Unfortunately,  too  many  companies  still 
depend  on  antivirus  technology,  which  con¬ 
tributes  to  the  high  numbers  in  studies  like 
Check  Point’s.  Those  businesses  have  to  shift 
tactics  toward  looking  for  events  in  hardware, 
software  and  network  traffic  that  would  point 
to  an  anomaly  indicative  of  malware. 

"My  recommendation  is  to  spend  more 
money  on  legitimate  detection,  as  opposed  to 
relying  on  detection  that  has  been  antiquated 
and  hasn’t  worked  for  the  better  part  of  a  de¬ 
cade,”  Shields  says. 

Examples  of  more  effective  approaches 
include  egress  filtering,  which  is  the  practice 
of  monitoring  and  possibly  restricting  the  flow 
of  information  moving  from  one  network  to 
another. 

Other  options  include  intrusion  detection 
systems  and  detonation  chamber  technology 
that  can  be  used  to  isolate  potential  malware 
for  examination. 


Stricter  policies  that  restrict  the  download¬ 
ing  of  files  from  unidentified  sites  would  also 
help,  says  Kellman  Meghu,  head  of  security 
engineering  for  Check  Point.  Having  a  strict 
policy  that  all  executable  files  have  to  be 
pre-approved  would  go  a  long  way  toward 
reducing  malware  infections.  “It  may  seem 
like  a  burden,  but  the  reality  is  the  burden  of 
trying  to  clean  up  potentially  thousands  of 
machines  is  far  larger,”  Meghu  says. 

As  last  year’s  Target  breach  showed,  tech¬ 
nology  alone  is  not  enough  to  prevent  the 
theft  of  tens  of  millions  of  customer  records 
and  associated  credit  card  data. 

A  network-monitoring  tool  from  vendor 
FireEye  alerted  the  retailer’s  security  person¬ 
nel  of  malware  on  the  network  before  the 
data  was  stolen.  However,  no  one  acted  on 
the  warning,  so  the  $1.6  million  Target  spent 
on  installing  the  tool  did  not  matter. 

"The  technology  is  there  to  help,  but  you 
still  need  intelligence  and  human  brainpower 
wrapped  around  it  to  make  sense  out  of  what 
the  technology  is  trying  to  tell  you,”  says  Chris 
Camejo,  director  of  assessment  services  at 
NTT  Com  Security. 

-Antone  Gonsalves 
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Retailers  Move  Slowly  Toward  Accepting  More 
Secure  Credit  Cards,  May  Miss  2015  Deadline 


TARGET  IS  SPEEDING  UP  SUPPORT  FOR  CHIP-AND-PIN 
payment  cards  to  restore  consumer  confidence  after  it  was  shaken 
by  last  year’s  massive  data  breach.  But  many  other  retailers  feel 
less  of  a  sense  of  urgency  for  adopting  the  more  secure  technology. 

Target  plans  to  complete  the  needed  technology  upgrade  at  pay¬ 
ment  terminals  in  its  1,797  U.S.  stores  by  next  September,  which  is 
about  six  months  ahead  of  schedule,  a  spokeswoman  for  the  retail¬ 
er  told  IDG  News.  The  total  cost  of  the  upgrade  is  $100  million. 

During  last  year’s  holiday  shopping  season,  hackers  broke  into 
Target’s  point-of-sale  terminals  and  stole  40  million  payment  card 
records.  The  breach  has  spawned  80  lawsuits  and  cost  the  retailer 
$61  million  in  remediation  costs 
in  the  fourth  quarter  of  2013. 

Chip-and-PIN  cards,  which 
are  widely  used  in  Europe  and 
elsewhere,  use  a  microchip  to 
store  customer  data,  eliminat¬ 
ing  the  less-secure  magnetic 
stripe  found  on  most  U.S.  pay¬ 
ment  cards  today. 

Visa  and  Mastercard  have 
set  an  October  2015  deadline 
for  retailers  to  accept  the  new 
cards.  Those  that  do  not  will  be 
liable  for  fraudulent  purchases 
made  with  the  older  cards. 

As  ominous  as  that  sounds, 
many  retailers  are  not  hurrying 
to  make  the  transition  to  the 
expensive  technology  required 
to  accept  the  more  secure 
cards.  Experts  estimate  that 
the  transition  would  cost  the 
industry  $30  billion. 

“Retailers  who  I  speak  to  are 
mainly  planning  to  upgrade  their  terminals  [to  accept  chip-and-PIN 
cards]  as  part  of  their  normal  upgrade  cycles,”  says  Avivah  Litan, 
an  analyst  for  Gartner.  “I  don’t  see  any  of  them  rushing  just  to  meet 
this  liability-shift  deadline.” 

The  National  Retail  Federation  declined  to  comment  on  the 
credit  card  companies'  timetable,  but  says  it  supports  the  move  to 
more  secure  cards  in  general. 

“If  we’re  going  to  transition  to  a  more  secure  system,  then  we 
should  transition  to  a  chip-and-PIN-based  system,”  says  Stephen 


Schatz,  spokesman  for  the  trade  association. 

That  move  for  many  retailers  won’t  be  completed  by  October 
2015,  says  Randy  Vanderhoof,  executive  director  of  the  EMV  Migra¬ 
tion  Forum,  an  independent,  cross-industry  group  created  to  ad¬ 
dress  issues  related  to  the  move  to  chip-and-PIN  cards,  which  are 
also  called  smart  cards. 

“We’re  going  to  be  going  through  a  transition  phase  that  had 
begun  two  years  ago  and  still  has  probably  two  or  four  more  years 
to  go,”  Vanderhoof  says. 

By  then,  most  consumers  will  have  smart  cards,  and  the  major¬ 
ity  of  retailers  will  have  the  technology  in  place  to  support  them, 

he  says. 

Chip-and-PIN  cards  can  im¬ 
prove  security  by  requiring  a 
PIN  when  making  a  purchase. 
However,  most  of  the  cards 
are  configured  to  require  a 
PIN  only  when  making  a  debit 
transaction. 

The  biggest  benefit  of 
the  cards  is  the  chip,  which 
prevents  cybercriminals  who 
have  stolen  credit  card  numbers 
from  using  them  to  make  coun¬ 
terfeit  cards. 

Retailers  face  severe  dam¬ 
ages  when  they’re  the  subject 
of  a  major  data  breach.  A  third 
of  consumers  whose  personal 
data  has  been  compromised 
avoid  doing  business  with  the 
retailer  after  a  breach,  accord¬ 
ing  to  a  recent  study  by  Javelin 
Strategy  and  Research. 

“Retail  is  highly  commod¬ 
itized,”  says  Al  Pascual,  analyst  for  Javelin  Strategy.  “If  Target 
doesn’t  work  out  for  me,  then  I  can  go  across  the  street  to  any 
Wal-Mart.” 

Wal-Mart  has  been  pushing  Visa  and  Mastercard  to  move  faster 
in  requiring  chip-and-PIN  cards,  Litan  says. 

“They  want  to  standardize  their  equipment  across  the  globe  for 
economic  reasons,  and  the  U.S.  is  one  of  the  only  countries  that 
hasn’t  yet  moved  to  chip-card  acceptance,”  she  says. 

-Antone  Gonsalves 
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MINIMAL  RISK 


Interconnected  Cars  Raise  New  Privacy  Questions 


IMAGINE  YOU’RE  DRIVING 
down  a  street  in  your  town,  and 
as  you  pass  through  an  intersec¬ 
tion  you  see  a  flash  out  of  the 
corner  of  your  eye  just  before  a 
car  running  the  red  light  broad¬ 
sides  you.  Now,  imagine  that  your 
vehicle  was  in  communication 
with  the  other  vehicle,  and  your 
car  automatically  stopped  or 
took  evasive  action  to  avoid  the 
accident. 

That  would  be  pretty  amaz- 
ing-and  that  is  just  the  sort 
of  car-to-car  communication 
technology  the  Department  of 
Transportation  wants  to  make 
mandatory  for  all  passenger  ve¬ 
hicles.  However,  the  technology 
may  also  invade  your  privacy  and 
put  you  at  risk. 

It’s  really  just  a  next  step  in  the  evolution 
of  safety.  We  require  safety  belts  because 
they  keep  you  secured  in  your  seat  during  an 
accident.  We  require  airbags  because  they  can 
deploy  in  the  blink  of  an  eye-much  faster 
than  you  can  possibly  react  in  a  crash.  If  we 
have  the  technology  for  vehicles  to  proactive¬ 
ly  communicate  with  one  another  and  simply 
avoid  the  accidents  in  the  first  place,  then  of 
course  we  should  use  it,  right? 

The  Department  of  Transportation  esti¬ 
mates  that  vehicle-to-vehicle,  also  called 
V2V,  communication  could  prevent  four  out 
of  five  accidents.  According  to  data  from  the 

The  hackers  were  able 
to  sound  the  horn, 
slam  on  the  brakes, 
spoof  the  GPS  coordi¬ 
nates,  and  even  move 
the  steering  wheel. 


National  Highway  Traffic  Safety  Administra¬ 
tion,  motor  vehicle  crashes  caused  33,561  fa¬ 
talities  in  2012,  so  reducing  the  total  number 
of  crashes  by  80  percent  has  the  potential  to 
save  more  than  25,000  lives  per  year. 

The  car-to-car  communication  transponder 
technology  that  the  DoT  has  in  mind  would 
share  a  car’s  location,  direction  and  speed 
with  nearby  vehicles.  The  system  could  then 
alert  the  driver  of  potential  danger  or  auto¬ 
matically  slow  or  stop  the  car  to  avoid  a  crash. 

There  are  a  couple  concerns  to  address 
with  such  a  system,  though. 

First,  there  is  the  question  of  privacy, 
and  whether  or  not  that  data  could  be  used 
against  you.  If  your  car  is  sending  detailed 
speed  data  to  nearby  vehicles  and  you  pass 
a  police  car,  would  that  police  officer  be  able 
to  pull  you  over  and  write  you  a  ticket  simply 
based  on  the  fact  that  your  own  car  an¬ 
nounced  that  you  were  speeding? 

The  second  concern  is  that  the  system 
could  be  hacked,  and  somebody  could  over¬ 
ride  your  vehicle  and  force  it  to  stop  when 
there  is  no  impending  accident.  Security 


researchers  demonstrated  a  hack  at  the 
2013  Black  Hat  conference  last  summer  that 
enabled  them  to  remotely  control  computer¬ 
operated  functions  in  modern  vehicles.  The 
hackers  were  able  to  sound  the  horn,  slam  on 
the  brakes,  spoof  the  GPS  coordinates,  and 
even  move  the  steering  wheel  simply  by  issu¬ 
ing  commands  from  a  computer. 

This  second  concern  needs  to  be  addressed 
whether  or  not  the  proposed  V2V  transpon¬ 
der  technology  is  ever  implemented.  These 
remote-control  hacks  are  already  possible 
because  of  just  how  dependent  our  vehicles 
are  on  their  computer  systems.  However, 
tying  those  computer-aided  functions  into  a 
system  that  communicates  over  Wi-Fi  may 
just  make  it  that  much  easier  for  would-be 
hackers  to  remotely  access  and  control  your 
vehicle’s  behavior. 

I’m  all  for  cutting  down  on  accidents  by  80 
percent  and  possibly  saving  tens  of  thousands 
of  lives.  It  just  needs  to  be  done  in  a  way  that 
addresses  these  privacy  and  security  concerns. 

-Tony  Bradley  is  principal  analyst  with  the 
Bradley  Strategy  Group. 
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Managing  Risk  in  An  Age 
Of  Constant  Threat 

RSA  and  KPMG  LLP  on  data  security  as  a  business  imperative 


Cyber  attackers  are  developing  new 
threats  as  fast  as  their  targets  can  develop 
defenses— making  past  approaches  to  data 
security  inadequate.  Leaders  from  RSA  and 
KPMG  recently  explained  the  need  for  a 
more  holistic,  business-oriented  approach 
to  mitigating  the  risk  of  data  breaches. 

What's  the  difference  between  incident 
response  and  breach  response? 

Curry:  Incident  response  is  the  race  to 
block  intruders  before  they  access  your 
network.  Breach  response  is  what  you  do  to 
manage  and  mitigate  the  loss  if  you’re  lucky 
enough  to  find  out  there  has  been  a  breach. 

Should  companies  focus  on  preventing 
attacks  or  should  they  concentrate  on 
mitigating  damage? 

Bell:  Companies  need  to  maintain  their 
defensive  posture  to  avoid  liability, 
but  their  focus  should  be  on  detecting 
breaches,  then  responding  to  and 
compartmentalizing  the  breach.  Just 
because  the  bad  guys  can  get  into  your 
network  shouldn’t  mean  they  can  get 


attacks  so  you  can  see  patterns.  The  other 
critical  trend  is  for  data  security  to  be  truly 
intelligence-driven,  with  tools  that  are  as 
transparent  as  possible  to  minimize  risk. 
Intelligent  security  is  becoming  more 
contextual,  enabling  you  to  correlate 
events  elsewhere  into  your  own  security 
operations.  It  uses  advanced  analytics 
to  look  for  unknown  threats  instead  of 
searching  just  for  known  threats.  And  it 
leverages  automation  to  sort  through  a 
high  volume  of  potential  incident  data  so 
human  analysts  can  focus  only  on  what’s 
most  relevant. 

What  critical  steps  must  organiza¬ 
tions  take  now  to  ensure  a  more  risk 
management-oriented  approach  to  cyber 
threats? 

Bell:  Traditionally,  the  conversation  about 
risk  has  happened  in  IT,  but  it  needs  to 
become  a  business  conversation  that 
includes  the  board  of  directors.  In  addition 
to  discussing  technology  and  operational 
controls,  the  conversation  needs  to 
cover  leadership  and  governance;  the 


“Traditionally,  the  conversation  about  risk  has  happened 
in  IT,  but  it  needs  to  become  a  business  conversation  that 
includes  the  board  of  directors.” 


into  your  data.  The  problem  is  that  most 
companies’  control  infrastructure  is 
designed  around  legacy  systems  in  the  data 
center  rather  than  cloud,  mobile,  shared 
data  and  new  delivery  vehicles. 

What  are  the  emerging  trends  in 
data  security? 

Curry:  The  biggest  trend  is  toward 
visibility— giving  you  more  data  about 


importance  of  a  workforce  that’s  trained 
and  empowered  to  support  data  security; 
what  and  where  the  company’s  most 
critical  data  assets  are  and  how  they’re 
used;  whether  the  organization  has  a 
breach  response  plan  and,  if  so,  whether 
it’s  been  tested;  and,  of  course,  legal  and 
compliance  issues  in  a  global  context. 
These  elements  define  risk  management 
more  holistically.  ■ 


n  Tech 


Google  Chrome’s 
Anti-Phishing  Feature 
Is  a  Work  in  Progress 


THE  ANTI-PHISHING  FEATURE 
currently  available  in  the  test  version  of 
Google  Chrome  would  probably  not  pro¬ 
vide  the  boost  the  browser  needs  to  catch 
up  with  Microsoft’s  Internet  Explorer,  an 
expert  says. 

Chrome  trails  IE  in  its  ability  to  pro¬ 
tect  users  landing  on  malicious  websites 
through  phishing  attacks.  The  experi¬ 
mental  feature  in  Chrome  Canary  Version 
36.0.1975.0  would  try  to  narrow  the  gap 
by  displaying  the  root  domain  of  a  web¬ 
site  to  theoretically  make  it  easier  for  a 
person  to  distinguish  between  a  legiti¬ 
mate  and  bogus  site. 

If  the  domain  is  supposed  to  be  “ama- 
zon.com,”  but  what’s  shown  is  “amazon_ 
scam.com,”  then  the  Chrome  user  would 
know  they’ve  landed  on  a  fake  site. 

However,  such  a  feature  is  unlikely  to 
be  of  much  help. 

“I  believe  it  is  far  too  soon  to  assess 
success  or  failure,”  says  Randy  Abrams, 
research  director  for  NSS  Labs.  “That  said, 
allowing  users  to  see  the  true  top-level 
domain  [TLD]  name  will  be  of  limited 
effectiveness. 

“Many  users  do  not  know  what  a  TLD  is 
or  even  have  the  knowledge  to  distinguish 
a  good  one  from  a  bad  one.” 

In  addition,  such  tactics  do  not  help 
when  cybercriminals  compromise  a  Web 
server  and  load  malicious  pages  on  the 


site,  Abrams  says.  In  those  cases,  the  URL 
would  look  fine,  so  the  only  tip-off  would 
be  if  the  page  seeks  personal  information 
unrelated  to  the  site. 

“There  will  be  users  who  do  not  put 
two  and  two  together  to  figure  out  that 
‘kinder_people_love_you.com’  is  probably 
not  a  safe  place  to  share  their  banking 
credentials,”  Abrams  says. 

A  recent  comparison  of  browser  mal¬ 
ware  detection  found  Chrome  trailing  IE 
with  a  block  rate  of  70.7  percent  versus 
IE’s  99.9  percent,  according  to  NSS  Labs. 

The  malware  threat  typically  starts 
when  criminals  send  an  email  crafted 
to  trick  the  recipient  into  clicking  on  a 
link  that  leads  to  a  malicious  Web  page. 
Chrome  and  IE  both  use  a  combination  of 
URL  filtering  and  application  reputation 
technology  to  detect  bogus  URLs  and 
malware. 

Besides  the  questionable  effective¬ 
ness  of  its  method,  Google’s  anti-phish- 
ing  feature  is  also  flawed  in  its  execution, 
according  to  PhishMe,  which  provides 
security  training  to  companies. 

PhishMe  reported  recently  that  the 
feature  failed  to  display  long  URLs.  How 
long  would  depend  on  the  size  of  the 
browser  window,  but  URLs  over  98  char¬ 
acters  were  certain  to  disappear. 

Chrome  Canary  is  intended  for  de¬ 
velopers  and  early  adopters  of  the 

browser.  Because  it 
is  meant  fortesting, 
Google  warns  that 
the  browser  could 
“sometimes  break 
down  completely.” 
-Antone  Gonsalves 


“Allowing  users  to  see  the  true 
top-level  domain  [TLD]  name 
will  be  of  limited  effectiveness.” 

-RANDY  ABRAMS,  RESEARCH  DIRECTOR,  NSS  LABS 
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Most  Dynamic  Women 
in  Our  Industry 

TAKE  HOME  TOOLS, 

Best  Practices 
&  Solutions  to 
Achieve  Success 


Women  of 
Influencejlwards 

Nominate  your  peers,  clients 
and  customers  for  the 
Women  of  Influence  Awards. 
Co-presented  by  CSO  Magazine  and 
Alta  Associates,  the  awards  honor  four 
women  for  their  accomplishments  and 
leadership  roles  in  the  fields  of  security, 
risk  management  and  privacy. 

Winners  will  be  announced  at  a 
ceremony  during  the  EWF  event. 

FOR  NOMINATION  FORM 
GOTO:  www.ewf-usa.com 

Nominations  must  be  submitted 
by  June  30,  2014 


October  21-23,  2014 

Hyatt  Regency  at  Gainey  Ranch  if  Scottsdale,  AZ 


Protecting  Brand, 
Data  &  the  Internet 
of  Things 

A  summit  to  build  and  enable  forward  thinking 
Information  Security,  IT  Risk  and  Privacy  leaders. 

Big  Data  -  Big  Opportunity 

Hear  how  companies  leverage  agile  analysis  and  acquire  the  skills  you 
need  to  distill  complex  ideas  into  an  enterprise-wide  call  to  action. 

Gain  an  understanding  of  how  big  data  analytics  will  change  all  of  us. 

The  Ying/Yang  of  IdM  &  loT 
Identity  management  in  a  ubiquitous  world 

Managing  complexity  is  more  than  a  word  game.  Learn  how  to  manage 
identities  with  devices  that  might  be  swallowed  by  a  person,  or  part  of  a 
general  consumer  ecosystem  yet  still  inextricably  connected  to  your 
company's  reputation  and  stock  price. 

Cyber  Risk:  This  is  not  your  father’s  playbook 

Run  and  hide  or  stand  and  fight?  This  interactive  panel  will  consider 
hacktivism,  reputation  management  and  practical  mitigation  strategies 
which  reflect  today's  realities. 

How  Did  I  Get  Here? 

C-level  executives  walk  us  through  their  journey  to  success,  and 
explain  the  twists  and  turns,  skill  and  luck,  and  surprises  along  the  way. 


Microsoft 


>00000000O00©00d©0CK>O0O«C00<>OC»0000<>0OOC<>C>0<O«‘XK>O0CK>X)OO0C<<>C>00Ov/<X<CK«‘ 


<2f  Symantec 


For  more  information  on  the  EWF  or  to  register, 
please  visit:  www.ewf-usa.com 
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YOUR  COMPUTER  FILES  ARE  BEING 
held  for  ransom.  Pay  up,  or  lose  them.  Your 
bank  account  is  being  emptied,  click  here  to 
stop  it.  Your  friend  has  died,  click  on  this  fu¬ 
neral  home  site  for  more  information.  Social 
engineering  thugs  have  reached  new  lows. 

Social  engineers  were  once  content  to  trick 
people  with  free  offers  or  funny  videos  before 
unleashing  their  scams.  Today  these  criminals 
rely  on  strong-arm  tactics,  threats,  emotional 
cruelty  and  fearful  ultimatums. 

While  the  number  of  emails  per 


spearphishing  campaign  and  the  number  of 
people  targeted  have  both  decreased,  the 
number  of  the  campaigns  themselves  jumped 
91  percent  in  2013,  according  to  Symantec’s 
2014  “Internet  Security  Threat  Report.” 

Campaigns  run  about  three  times  longer 
than  they  did  in  2012,  which  indicates  that 
user  awareness  and  protection  technologies 
have  forced  spearphishers  to  tighten  their 
targeting  and  sharpen  their  skills.  Symantec 
also  reports  that  real-world  social  engineers 
are  combining  virtual  and  real-world  attacks 


to  increase  their  chances  of  success. 

Chris  Hadnagy,  chief  human  hacker  at 
Social-Engineer,  sees  an  increase  in  use  of  this 
tactic  on  business  employees. 

“Groups  are  sending  phishing  emails  with 
malicious  attachments,”  which  a  cautious  em¬ 
ployee  usually  ignores. 

"But  then  they’re  following  up  with  a 
phone  call  that  says,  ‘Hi,  this  is  Bob  in  ac¬ 
counting.  I  just  sent  you  an  email  with  a 
spreadsheet.  I  just  need  you  to  open  that  up 
real  quick  and  check  it  out.’  Those  factors  put 


Scammers  Reach  Cruel  New  Lows 

Four  despicable  new  attacks  play  on  users’  fears  of  privacy  loss,  theft  and  even  death  by  stacy  collett 


Thinkstock 


together  make  you  trust  them  and  take  that 
action."  Social  engineering  tactics  like  these 
are  the  first  steps  of  the  latest  Internet  scams. 

1.  More  potent  ransomware.  Ran- 
somware  caught  businesses'  attention  in  2013 
with  Cryptolocker,  which  infects  comput¬ 
ers  running  Microsoft  Windows  and  encrypts 
all  of  their  files,  as  well  as  files  on  a  shared 
server.  The  extortionists  then  offer  to  reveal 
the  encryption  key  in  exchange  for  a  ransom, 
usually  about  $500,  to  be  paid  in  untraceable 
bitcoins.  The  longer  the  victim  waits  to  pay, 
the  higher  the  price,  or  the  data  can  be  erased. 

Copycat  malware  CryptoDefense  popped 
up  this  year  and  targets  texts,  pictures,  videos, 
PDFs  and  MS  Office  files  and  encrypts  these 
with  a  strong  RSA-2048  key,  which  is  hard  to 
undo.  It  also  wipes  out  Shadow  Copies,  which 
are  used  by  many  backup  programs. 

In  February,  a  law  firm  described  how  its 
whole  file  server  was  scrambled  by  Cryp¬ 
tolocker  and  the  firm  lost  all  its  files.  The  IT 
team  tried  to  disinfect  the  machine,  but  the 
plan  backfired  and  prevented  decryption. 

They  also  tried  to  pay  the  ransom,  but  after 
tampering  with  the  malware,  it  was  too  late. 
The  attack  used  an  email  pretending  to  be 
from  AT&T  that  included  a  malicious  attach¬ 
ment  that  was  mistaken  for  a  voice-mail  mes¬ 
sage  from  the  firm’s  phone  answering  service. 

Companies  that  back  up  files  once  a  week 
are  caught  off  guard  by  the  scam  and  are 
often  willing  to  pay  the  ransom. 

“It’s  the  choice  between  paying  500  bucks 
or  losing  a  week’s  worth  of  work-for  maybe 
more  than  one  person,”  says  Stu  Sjouwer- 
man,  cofounder  of  security  training  company 
KnowBe4. 

While  the  scammers  used  a  phony  AT&T 
address  in  the  law  firm  case,  other  telcos 
were  used  as  cover  in  variants  of  the  scam, 
Sjouwerman  says.  Symantec  estimates  that 
ransomware  like  Cyberlocker  earned  criminals 
over  $34,000  in  one  month  alone  in  late  2013. 

Small  and  midsize  businesses  with  fewer 
than  500  employees  were  the  targets  of  41 
percent  of  all  spearphishing  attacks  in  2013, 
up  from  36  percent  in  2012,  according  to  Sy¬ 
mantec.  Large  enterprises  with  more  than 
2,500  employees  accounted  for  39  percent  of 


these  attacks,  down  from  50  percent  in  2012. 

Small  and  midsize  companies  have  two  is¬ 
sues,  says  Scott  Greaux,  VP  at  PhishMe.com. 
“One  is  the  perception  that  I  don’t  have  any¬ 
thing  people  would  want.  [Two],  they  might 
have  the  traditional  [security]  tools  in  place 
but  they  might  be  behind  the  times,  even  if 
they  are  using  Web  filtering.” 

Before  it  happens  to  you,  “make  sure  you 
do  have  backups  and  test  your  restore  func¬ 
tion  on  a  very  regular  basis,”  Sjouwerman 
says.  Also,  invest  in  security  awareness  train¬ 
ing  for  all  employees. 

2.  Robocalls  for  credit  card  infor¬ 
mation.  Interactive  voice  response  systems 
and  robocalls  play  a  central  role  in  new  social 
engineering  scams  seeking  credit  card  or  pass¬ 
word  information.  Bad  guys  steal  thousands 
of  phone  numbers  and  use  a  robocaller  to  call 
unsuspecting  employees. 

“It’s  fully  automated,”  Sjouwerman  says. 
“The  message  goes  something  like,  This  is 
your  credit  card  company.  We  are  checking  on 
a  potential  fraudulent  charge  on  your  card. 

Did  you  purchase  a  flat-screen  TV  for  $3,295? 
Press  1  for  yes  or  2  for  no.’”  If  the  person  re¬ 
sponds  no,  the  script  asks  the  victim  to  enter 
his  credit  card  number,  expiration  date  and 
security  code. 

“Just  to  add  insult  to  injury,  they  ask  the 
victim  to  enter  a  cell  phone  number  so  that  a 
customer  service  rep  can  call  back  about  this 
and  reverse  the  charge,”  Sjouwerman  says. 

While  the  scam  seems  to  be  aimed  at  con¬ 
sumers,  the  concept  of  combining  robocalls 
and  interactive  voice  response  has  implica¬ 
tions  for  businesses,  too,  says  Chris  Silvers, 
owner  and  principal  information  security  con¬ 
sultant  at  CG  Silvers  Consulting. 

“The  most  obvious  scenario  would  be  to 
spoof  an  internal  call  from  the  voicemail  sys¬ 
tem,  asking  employees  to  confirm  their  voice- 
mail  password  and  maybe  prompting  for  an 
emergency  cell  phone  number  or  something 
similar,”  Silvers  says. 

Prevention:  Never  act  on  incoming  robo¬ 
calls,  experts  say,  and  don’t  trust  the  name  on 
the  caller  ID.  One  telltale  sign  of  the  robocall 
scam:  It  say  it’s  from  “your  credit  card  com¬ 
pany"  but  doesn’t  name  the  company. 


3.  Phishing  with  healthcare  re¬ 
cords.  Thanks  to  massive  data  breaches 
in  2013,  criminals  can  now  grab  personally 
identifiable  information  and  start  merging  re- 
cords-including  healthcare  records. 

For  instance,  a  bogus  email  looks  like  it’s 
coming  from  your  employer  and  its  health¬ 
care  provider  announcing  that  they’ve  made 
some  changes  to  your  healthcare  program. 
They’re  offering  preferred  insurance  rates  for 
customers  with  your  number  of  children.  Then 
they  invite  the  email  reader  to  click  a  link  that 
looks  like  it  goes  to  the  insurer’s  website. 

"Because  the  email  is  loaded  with  the 
reader's  personal  information,  there’s  a  high 
likelihood  of  one  click,  and  that’s  all  it  takes” 
to  infiltrate  systems,  Sjouwerman  says. 

4.  Phishing  with  funerals.  This  is 
perhaps  the  new  lowest  of  the  low.  Social 
engineering  gangs  have  been  sending  people 
phishing  emails  that  appear  to  be  from  a 
funeral  home  informing  the  reader  that  a 
close  friend  has  died  and  giving  a  date  for  the 
funeral.  The  hackers  have  already  penetrated 
and  compromised  the  funeral  home’s  website, 
so  the  moment  the  concerned  friend  clicks  on 
the  compromised  website,  they  get  redirected 
to  a  bad  guy’s  server. 

Hadnagy  confirms  that  this  social  engi¬ 
neering  scam  is  sad,  but  true.  “There  are  a  few 
stories  of  this  being  used  successfully.  People 
click  and  get  loaded  with  exploit  kits  or  the 
scammers  harvest  credentials.” 

At  the  bogus  site,  the  bad  guys  quickly  drop 
a  piece  of  malware  that  over  time  pulls  down 
a  boatload  of  keylogger  and  other  informa¬ 
tion.  It  also  drops  a  Trojan,  and  the  computer 
has  just  become  a  zombie  able  to  carry  out 
nefarious  acts  such  as  attacking  other  com¬ 
puters  and  sending  spam. 

Bottom  line:  Think  before  you  act  on  emo¬ 
tion,  Greaux  says. 

“Typically  the  [scammers’]  motivator  is 
fear,  greed  or  curiosity.  If  you  send  out  10 
emails,  chances  are  1  out  of  10  of  the  recipi¬ 
ents  is  going  to  be  motivated  by  the  emotion 
that  they’re  trying  to  use.” 


■  Stacy  Collett  is  a  freelance  writer  and 
regular  contributor  to  CSO. 
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Steve  Ragan,  Staff  Writer 
CSOonline's  Salted  Hash  blog  and  newsletter  covers 
the  news  as  it  happens:  blogs.csoonline.com/blog/cso 


SALTED  HASH 


Hactivism  Struggles  With  a  Slippery  Slope 
as  Anonymous  Targets  Children’s  Hospital 


MEMBERS  OF  THE  FACELESS  COLLECTIVE 
known  as  Anonymous  have  taken  up  the  cause 
of  a  teenage  girl  after  the  Massachusetts  De¬ 
partment  of  Children  and  Families  removed 
her  from  her  parents’  care  last  year.  However, 
the  methods  used  to  show  support  may  have 
unintended  consequences  that  could  affect 
patient  care  at  Boston  Children’s  Hospital. 

The  hospital  confirmed  that  it  had  been 
subjected  to  multiple  distributed  denial-of- 
service  (DDoS)  attacks  in  April  that  aimed 
to  take  the  hospital's  website  offline.  Similar 
attacks,  including  website  defacement,  have 
also  targeted  the  Wayside  Youth  and  Family 
Support  Network,  the  facility  where  the  girl 
has  been  living.  Both  organizations  are  at  the 
heart  of  a  sensitive  topic:  child  welfare  and 
the  rights  of  parents. 

No  one  person  or  group  has  come  forward  to 
claim  responsibility  for  the  attacks,  but  chat¬ 
ter  on  the  Internet  has  put  the  blame  for  these 
incidents  on  Anonymous  and  those  supporting 
OpJustina,  the  Anonymous  group  advocating 
that  the  child  be  returned  to  her  family. 

Anonymous  in  Action 

OpJustina  started  this  year  after  Anonymous 
learned  about  Justina  Pelletier,  a  15-year-old 
girl  who  was  removed  from  her  parents’  care 
by  Massachusetts  state  agencies. 

Pelletier  had  long  ago  been  diagnosed  with 
mitochondrial  disease,  a  disorder  that  causes 
malfunctions  in  a  person’s  mitochondria-a 
part  of  a  cell  that  generates  most  of  its  en- 
ergy-and  can  lead  to  a  constellation  of  symp¬ 
toms,  depending  on  which  cells  are  afflicted. 

Last  February,  Pelletier  was  admitted  to 
Boston  Children’s  because  she  was  having 
trouble  walking  and  eating.  There  she  was 
treated  not  by  her  regular  doctors  but  by  dif¬ 
ferent  team,  who  questioned  her  earlier  diag¬ 
nosis.  They  told  Pelletier's  parents  that  their 


ll-'1 


pH 


iteJ, 

ilia 

- 


h  .  1 


daughter’s  real  problem  was  somatic  symp¬ 
tom  disorder,  a  mental  illness  that  manifests 
as  physical  symptoms. 

Her  parents  disagreed,  and  started  the 
process  of  having  their  daughter  discharged 
from  Boston  Children’s,  which  led  to  a  war  of 
words  with  the  doctors.  The  heated  debate 
over  the  girl’s  condition  led  to  her  parents 
being  removed  from  the  hospital  by  security 
and  the  Department  of  Children  and  Families 
being  brought  in. 

After  a  series  of  legal  maneuvers,  Pelletier 
was  made  a  ward  of  the  state  and  removed 
from  her  family’s  care.  Doctors  allege  the  fam¬ 
ily  has  engaged  in  medical  child  abuse,  and 
the  family  claims  the  state  kidnapped  their 
daughter  from  a  healthy  home.  The  thorny 
dilemma  drew  Anonymous  supporters  to  rally 
to  the  girl’s  cause. 

Initially,  Anonymous  set  up  petitions  call¬ 
ing  for  the  girl  to  be  returned  to  her  family  and 
used  social  media  and  blogs  to  raise  aware¬ 
ness  of  the  situation  and  draw  the  media’s 
attention. 

The  activism  started  this  February  but  had 
begun  to  lose  steam  by  the  end  of  March.  That 
changed  when  lawyers  representing  the  family 
released  a  note  allegedly  written  by  Pelletier, 
saying  that  workers  in  the  facility  where  she 
was  staying  were  abusing  her.  OpJustina  took 
off  then,  and  Web-based  attacks  increased. 


A  New  Threat  Vector 

When  asked  his  opinion  on  OpJustina  as  it 
relates  to  the  attacks  on  healthcare  organiza¬ 
tions,  one  senior  security  professional  in  the 
medical  industry  says,  “It’s  disturbing.” 

Speaking  anonymously,  as  he  wasn’t 
cleared  to  speak  on  the  record  about  this 
topic,  he  said  his  feelings  are  based  on  his 
personal  experience. 

Aside  from  passive  attacks,  where  a  poorly 
developed  website  is  defaced  by  a  bot  scan¬ 
ning  the  Web,  healthcare  organizations  don’t 
usually  consider  activism  to  be  a  high-value 
threat.  In  fact,  attacks  such  as  those  that 
targeted  Boston  Children’s  Hospital  and  the 
Wayside  Youth  and  Family  Support  Network 
are  not  considered  likely,  especially  in  the  chil¬ 
dren's  healthcare  field. 

However,  if  the  rumors  and  reported  goals 
of  OpJustina  are  true,  the  scary  part  of  this 
type  of  attack  for  a  healthcare  organization 
isn’t  the  DDoS  attacks  or  defacement,  it’s  the 
pivoting  between  systems  that  the  attackers 
will  do  to  obtain  information.  These  actions 
could  inadvertently  cause  serious  problems. 

In  theory,  one  of  the  systems  being  used 
to  pivot  could  be  a  biomedical  system,  which 
if  tampered  with,  even  unintentionally,  could 
adversely  affect  patient  care.  And  in  the  case 
of  Boston  Children’s  Hospital,  the  patients  are 
kids.  Systems  such  as  heart  monitors,  which 
are  connected  to  a  nurse's  station  so  they 
can  generate  alerts,  could  see  a  flood  of  false 
positives,  leading  to  degraded  care. 

Or  worse,  attackers  pivoting  between  sys¬ 
tems  could  accidentally  disable  a  biomedical 
system,  preventing  a  legitimate  alert  from 
reaching  the  nurse.  Such  a  situation,  which  is 
unlikely  but  still  possible  depending  how  an 
organization’s  network  is  configured,  would 
stand  as  a  horrific  unintended  consequence  of 
digital  activism. 
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Agile  Doesn’t  Have 
to  Mean  Fragile 


TO  BE  AS  COMPETITIVE  AS 
possible,  more  and  more  organi¬ 
zations  are  creating  agile  devel¬ 
opment  and  operations  teams 
who  are  collaborating  closely 
and  moving  more  applications 
and  updates  than  ever  before. 
Some  are  moving  many  dozens 
of  updates  and  infrastructure 
changes  a  day. 

This  has  some  security  man¬ 
agers  and  CISOs  concerned  that 
pushing  updates  out  too  quickly 
means  that  secure  development 
practices  and  quality  assurance 
gets  pushed  to  the  side  in  favor  of 
agility  and  speed. 

According  to  Gene  Kim,  an 
author  and  founder  of  IT  security 
firm  Tripwire,  a  highly  coopera¬ 
tive  and  iterative  strategy  doesn’t 
create  the  dangerous  environ¬ 
ment  (security-wise,  that  is)  that 
CISOs  fear;  in  fact,  it  can  enhance 
security.  “We've  witnessed  this 
downward  spiral  that  happens 


in  almost  every  IT  organization. 

It  became  typical  that  whenever 
you  wanted  a  new  release  or 
deployment,  in  most  enterprises, 
it  would  take  days  or  weeks  or 
longer  to  complete.  It  involves 
tons  of  project  sign-offs  and 
hand-offs.  This  includes  develop¬ 
ers,  [database  administrators], 
release  teams,  security  and  com¬ 
pliance  people,  operations  teams 
and  so  on.  This  creates  delays 
and  is  itself  very  error-prone," 

Kim  says. 

Kim  and  other  agile  IT  advo¬ 
cates  contend  that  this  creates 
fragile  applications  in  produc¬ 
tion,  builds  up  technical  debt 
(including  things  that  must  be 
fixed  in  the  future)  and  causes 
the  business  to  run  more  slowly 
overtime. 

“It  led  to  preordained  failure 
where  people  felt,  especially 
downstream  [operations,  test, 
security],  trapped  in  a  system 


where  people  were  powerless  to 
change  the  outcomes,”  Kim  says. 

What  devops  advocates  is 
testing  as  code  is  being  devel¬ 
oped.  “This  way  you  don’t  have 
this  up-front  cost  associated  with 
this  very  long  architecture  phase 
before  you  start  building.  You  are 
iterating,”  says  Bill  Burns,  former 
CISO  with  a  major  online  stream¬ 
ing  and  entertainment  service. 
“So  it’s  an  opportunity  for  the 
security  team  to  participate  in 
that.  It  produces  tighter  feedback 
loops  both  within  the  dev  and 
the  ops  worlds.  Security  gets  to 
play  in  that  as  well.” 

“The  fact  is,  when  done  well, 
incorporating  security  into  de¬ 
vops  is  sort  of  the  holy  grail  for  a 
really  robust  secure  development 
lifecycle.  Everyone  says  they  want 
to  put  security  up-front  in  the 
design  and  within  the  architec¬ 
ture  phases.  With  devops,  that 
becomes  much  more  feasible,” 
Burns  says. 

An  example  Kim  likes  to  share 
is  the  static  code  analysis  appli¬ 
cation  that  the  Twitter  develop¬ 
ment  team  built  into  its  Jenkins 


continuous  integration  processes. 
The  tool,  dubbed  Brakeman,  runs 
secure  code  analysis  of  the  ap¬ 
plication,  and  its  findings  are  fed 
into  the  home-built  Security  Au¬ 
tomation  Dashboard  whenever  a 
developer  hits  save  on  their  work. 
After  Brakeman’s  quick  analysis, 
the  developer  gets  an  email  if 
there’s  a  negative  finding  that 
would  say  something  along  the 
lines  of:  “Hey,  you  may  want  to 
know  that  we  just  detected  a  SQL 
injection  vulnerability.  Click  here 
to  learn  how  to  fix  it.” 

"The  instant  they  fixed  it  and 
hit  save,  they  would  get  another 
email  from  Brakeman  saying, 

‘Hey,  thank  you  so  much.  Thank 
you  for  fixing  the  SQL  injection 
vulnerability.  Please  rate  our 
instructions  on  helpfulness,  1-5 
stars,’”  Kim  explains. 

A  survey  recently  conducted  by 
automated  server  management 
software  provider  JumpCloud 
found  that  such  security  automa¬ 
tion-including  activities  such 
as  patching,  user  management, 
log  analysis  and  forensics-is 
an  integral  part  of  the  devops 
movement. 

That’s  exactly  how  security 
should  be  coupled  to  the  process, 
explains  Burns.  “You  build  these 
small  feedback  loops  that  are 
tightly  coupled  between  the  de¬ 
velopers  and  the  operation  roles 
so  you  log  more  events.  When 
you  are  security  and  you  are  part 
of  those  conversations,  you  get  to 
make  these  incremental  improve¬ 
ments  and  pivot  with  the  product 
or  the  service  as  they're  develop¬ 
ing  it,”  Burns  says. 

-George  V.  Holme  is  a 
freelance  security  and 
technology  writer  based 
in  Minnesota. 
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Add  More  Women  to  Your  Workforce 

Only  11  percent  of  infosec  professionals  are  women.  To  help  change  that  number,  here’s 
10  tips  for  recruiting  and  retaining  more  qualified  women,  by  maria  korolov 


IF  THE  INFOSEC  INDUSTRY  COULD 
just  double  the  percentage  of  women  in  its 
workforce-going  from  11  percent  to  22  per- 
cent-it  would  solve  its  staffing  shortage. 

Sadly,  most  companies’  recruitment  process¬ 
es  are  designed  to  attract  the  kind  of  people 
who  already  work  there.  Changing  that  requires 
conscious  effort.  Here’s  10  ways  to  start. 

1.  Build  a  pipeline  of  women.  Sup¬ 
port  educational  programs  aimed  at  girls  and 
young  women  in  schools  and  colleges  in  your 


area  and  around  the  country.  This  may  seem 
like  a  long-term  approach,  but  it  has  an  im¬ 
mediate  benefit-it  helps  create  a  woman- 
friendly  corporate  atmosphere. 

Latha  Maripuri,  director  of  IBM  Security 
Services,  says  this  is  one  of  the  reasons  that 
she’s  stayed  with  IBM  for  almost  20  years. 

“They’re  involved  in  a  lot  of  the  women-in- 
technology  initiatives,  a  lot  with  education,” 
she  says.  “I’ve  gone  locally  into  schools  talk¬ 
ing  to  women  about  science  and  technology 


and  doing  shows  to  show  that  science  can  be 
fun  that  it  doesn’t  have  to  be  uncool,  to  show 
what  the  possibilities  are.” 

2.  Set  up  internships  for  young 
women.  An  internship  program  aimed  at  at¬ 
tracting  young  women  to  a  company  can  help 
dispel  some  of  the  myths  about  IT  careers.  It 
can  also  help  women  adjust  their  studies,  if 
need  be,  to  meet  workplace  requirements. 

“In  October,  I  was  at  the  Grace  Hopper  con¬ 
ference,”  says  Julie  Talbot-Hubbard,  who  was 


Thinkstock 


CSO  at  Symantec  at  the  time  she  was  inter¬ 
viewed.  “We  had  a  recruiting  table  for  college- 
age  women  interested  in  a  job  or  internship. 

A  lot  of  them  are  in  IT  or  engineers,  but  some 
are  psychology  or  sociology  majors-and  I 
think  that’s  going  to  become  more  prevalent 
in  the  security  world." 

Companies  can  work  more  closely  with 
educational  institutions  in  other  ways  too.  “I 
think  we’ll  also  see  more  training  programs 
where  companies  work  directly  with  colleges 
to  help  develop  the  channel,”  says  Julie  Peeler, 
foundation  director  of  (ISC)2. 

3.  Participate  in  women’s  profes¬ 
sional  organizations.  A  company  can 
actively  participate  in  both  national  and 
regional  professional  women’s  groups  to  give 
back  to  the  community,  create  networking  op¬ 
portunities,  showcase  its  own  female  leaders, 
and  position  itself  as  woman-friendly. 

GoDaddy,  for  example,  which  recently  ap¬ 
pointed  the  first  woman  to  its  board  of  direc¬ 
tors,  also  just  announced  a  partnership  with 
the  Anita  Borg  Institute. 

“At  GoDaddy,  more  than  one-third  of  the 
leadership  is  comprised  of  women,  who  are 
actively  involved  with  a  variety  of  nonprofit 
organizations,"  says  GoDaddy’s  CTO  Elissa 
Murphy.  “In  fact,  GoDaddy  CEO  Blake  Irving 
has  long  been  involved  with  the  Society  of 
Women  Engineers  and  the  Grace  Hopper  Cel¬ 
ebration  of  Women  in  Computing.” 

Also,  she  says,  GoDaddy  runs  a  large  inter¬ 
nal  Women  in  Technology  network  that  sup¬ 
ports  women's  professional  development. 

BAE  Systems  also  has  its  own  women's 
professional  organization,  Women  in  Leader¬ 
ship,  which  is  employee-owned  and  supported 
by  executive  management. 

“It  fosters  women  of  all  backgrounds,  in  all 
functional  organizations-not  just  infosec  or 
IT— helping  them  move  forward  in  terms  of 
management  at  BAE,”  says  Jo  Cangianelli,  vice 
president  of  business  development  for  the 
company's  intelligence  and  security  sector. 

4.  Set  up  mentoring  programs. 
Mentoring  relationships,  both  formal  and  in¬ 
formal,  can  provide  support  to  women  both 
thinking  of  entering  the  profession  and  look¬ 
ing  to  move  up  the  ranks. 


“I  personally  reach  out  to  people  and  offer 
them  an  opportunity  to  be  mentored,"  says 
Pam  Kostka,  VP  of  marketing  at  Btuebox  Secu¬ 
rity.  “When  I  look  back  at  my  history,  what  gave 
me  opportunities  were  mentoring  relation¬ 
ships.  And  I've  seen  it  work  with  other  women." 

5.  Showcase  women  in  infosec. 
IBM’s  Maripuri  says  she’d  like  to  see  more 
emphasis  on  visibility  industry-wide.  “I  would 
love  to  see  more  focus  highlighting  women 
executives  in  the  IT  security  space,  for  younger 
people  in  high  school  and  college  trying  to  fig¬ 
ure  out  what  careers  they  should  go  into.” 

6.  Allow  a  better  work-life  bal¬ 
ance.  The  information  security  field  lends 
itself  to  both  flexible  hours  and  flexible  career 
paths,  and  more  companies  should  take  ad¬ 
vantage  of  that  and  publicize  it. 

"IT  and  security,  because  it’s  very  much 
doing  work  remotely,  gives  a  bit  more  balance 
than  people  would  expect,"  says  Maripuri. 
“More  than  other  careers,  like  being  a  lawyer.” 

An  environment  that  allows  employees  to 
balance  their  personal  and  professional  lives 
and  does  not  penalize  them  for  making  these 
choices  isn't  just  a  better  place  for  women  to 
work,  but  a  better  place  for  all  employees. 

7.  Put  women  on  all  interview 
panels.  When  a  female  applicant  comes  in 
for  a  job  interview,  is  she  faced  with  a  row  of 
white  male  faces? 

If  so,  she  might  get  the  impression  that 
the  company  is  not  friendly  to  women.  Some 
women  are  comfortable  working  in  an  all¬ 
male  environment,  but  others  may  get  the 
feeling  that  they're  not  wanted,  or  that  the 
company  has  a  culture  that’s  inhospitable  to 
women.  Otherwise,  why  aren’t  more  women 
already  working  there? 

"We  try  to  include  a  female  in  the  inter¬ 
viewing  roster,  partly  to  encourage  diversity, 
but  also  to  get  a  full  representation  of  the 
company,"  says  Bluebox  Security’s  Kostka. 

8.  Write  a  female-friendly  ad.  Too 
often,  help-wanted  ads  are  written  as  skill 
lists.  This  skews  the  gender  balance  of  the  ap¬ 
plicant  pool,  since  men  tend  to  apply  if  they 
have  any  of  the  skills  on  the  list,  while  women 
tend  to  apply  only  if  they  have  all  the  skills 
listed.  As  a  result,  some  potentially  excellent 


female  candidates  take  themselves  out  of  the 
running  at  the  very  start. 

Instead,  write  an  ad  that  focuses  on  out¬ 
comes.  Better  yet,  use  split  testing  to  run 
multiple  versions  of  an  ad  and  see  which  ap¬ 
proaches  generate  more  female  candidates. 
Then  tweak  the  wording  and  repeat  the  test. 

9.  Go  outside  infosec.  There  are  great 
female  candidates  to  be  found  in  other  indus¬ 
tries  who  could  offer  substantial  benefits  to 
your  security  team. 

Look  to  the  legal  professions,  communica¬ 
tions,  risk  analysis,  finance  and  the  hard  sci¬ 
ences.  Then  train  the  new  hires  in  the  security 
skills  they’ll  need. 

"On  my  team  at  IBM,  half  the  team  grew 
up  in  the  security  ranks  and  the  other  half  are 
newer,  with  a  background  in  project  manage¬ 
ment,  analytics  or  IT,  who  are  now  learning 
the  security  space,”  says  Maripuri. 

10.  Be  more  hospitable  to  women. 
Does  everyone  in  the  office  hit  the  bars  to¬ 
gether  right  after  work?  That’s  fine  if  every¬ 
one  is  young  and  single,  or  has  spouses  willing 
to  pick  up  the  slack  at  home.  But  lunchtime 
outings  may  be  more  appropriate  for  a  more 
diverse  workforce. 

Then  there  are  more  subtle  things,  like  tone 
of  voice.  In  a  male-dominated  environment, 
some  men  may  use  their  knowledge  as  a  ver¬ 
bal  weapon.  This  creates  an  unpleasant  envi¬ 
ronment  for  everyone,  especially  for  women. 

“Women  tend  to  be,  generally  speaking, 
more  socially  engaged,”  says  Lynne  Williams, 
an  IT  professor  at  Kaplan  University  who  has 
seen  this  dynamic  play  out  repeatedly  in  her 
computer  science  classes.  Since  switching  to 
online  teaching,  she  says,  women’s  participa¬ 
tion  in  classes  has  gone  up  dramatically  and 
the  gender  ratio  is  nearing  50/50. 

“In  an  online  classroom,  you’re  not  having 
to  deal  with  all  the  competition,”  she  says. 
“Women  are  not  afraid  to  ask  questions  in 
that  environment.  I  have  a  lot  of  women  stu¬ 
dents  now  coming  through  my  IT  graduate 
courses,  and  they’re  doing  as  well  as  or  better 
than  the  fellows.” 


■  Maria  Korolov  has  covered  emerging 
technologies  and  markets  around  the  world. 
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gain  better  insight  so  we  can  make  better 
decisions,  we  have  to  adjust  our  own  thinking, 
processes  and  capabilities.  Part  of  getting  it 
right  includes  considering  the  role  people  play. 

Putting  People  Back  in  Focus 

While  profiling  behavior  is  important,  it  tends 
to  be  a  touchy  subject.  The  way  we  approach 
and  explain  the  program,  process  and  results 
goes  a  long  way  toward  building  acceptance 
and  ensuring  success. 

Minimally,  this  is  a  way  to  protect  the  sys¬ 
tems  and  information  our  colleagues  rely  on 
every  day.  We’re  part  of  a  team,  and  this  is 
ultimately  an  opportunity  to  make  it  easier 
for  people  to  do  their  jobs,  not  continue  to  tell 
them  no  and  block  them. 

I  should  clarify  as  an  aside:  While  I  gener¬ 
ally  advise  against  broadly  referring  to  your 
colleagues  as  “users,"  a  word  that  is  usually  a 
way  to  distance  ourselves  from  others,  when 


BEHAVIORAL  ANALYSIS  WAS  A  HOT 
topic  back  in  the  late  '90s.  Except  the  ap¬ 
proach  never  really  worked  well  enough  to 
adopt-even  folks  who  were  slaves  to  routine 
managed  to  disrupt  the  baseline  pattern  wide 
enough  to  drive  a  truck  through  it. 

But  that's  not  true  anymore,  and  this  shift 
has  good  timing,  too. 

Confirmed  again  with  the  release  of  the 
2014  “Verizon  Data  Breach  Investigations 
Report”  is  the  reality  that  attackers  seek  cre¬ 
dentials.  As  noted  in  the  executive  summary: 
“User  credentials  are  also  a  popular  target, 
but  mainly  as  a  gateway  to  other  kinds  of 
data  or  other  systems.” 

Addressing  the  challenge  means  detecting 
when  credentials  are  compromised  and  used. 
A  key  to  success  is  developing  an  accurate 
understanding  of  how  people  use  the  systems 
and  resources  we  need  to  protect. 

As  it  becomes  increasingly  important  to 


There’s  an  Upside  to 
Understanding  People 

Once  we  adopt  a  mind-set  of  serving  our  col¬ 
leagues,  our  focus  turns  to  understanding  how 
people  use  systems  and  information.  Today’s 
improved  assessment  tools  allow  us  to  cap¬ 
ture  accurate  behavioral  profiles. 

Kevin  Epstein,  VP  of  advanced  security  and 
governance  at  Proofpoint,  says  that  "by  build¬ 
ing  an  understanding  of  how  our  clients  use 
the  system,  we  improve  incident  response.  It's 
helping  discern  the  difference  between  'Mr. 
Clicky  and  the  mistake.’” 

This  understanding  provides  cues  that 
indicate  the  level  and  type  of  response  re- 


it  comes  to  behavior  profiling  and  analytics, 
the  term  “user”  is  appropriate.  Just  keep  in 
mind  that  while  the  term  is  fine  for  describ¬ 
ing  your  coworkers  in  aggregate,  we  still  serve 
individual  people. 
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Michael  Santarcangelo,  Security  Catalyst 
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SECURITY  MEANS  BUSINESS 

The  best  security  projects  create  opportunities  for 
business  growth-entering  new  markets,  operating 
more  efficiently,  prioritizing  resources  and  fostering 
organizational  agility. 

In  its  third  year,  the  CS050  Awards  will  recognize  50 
security  initiatives  for  outstanding  business  contributions. 
Whether  it’s  a  new  system,  new  processes,  or  a  novel 
organizational  approach,  we  want  to  know  about  your  best 
work,  and  how  you  measured  its  value  to  the  enterprise. 


APPLY  Nominations  will  be  judged  by  a  panel  of  veteran  security  leaders 
and  industry  experts,  working  together  with  CSO’s  editors. 

APPLY  TODAY  AT  HTTP://BIT.LY/CSO50NOM15 

A  CS050  Award  honorees  will  be  recognized  at  the  CS050  Security 

Confab  +  Awards  event,  February  23-25, 2015*  in  Florida. 

This  event  is  security  leaders’  best  forum  for  networking 
and  exchanging  ideas  that  work. 

DON’T  BE  LATE!  the  deadline  for 

NOMINATIONS  IS  JULY  2, 2014! 
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quired.  Looking  at  trends  and  identify¬ 
ing  common  disruptions  helps  security 
departments  identify  areas  for  improving 
the  culture. 

Capturing  the  right  information  and 
comparing  it  to  the  baseline  also  helps 
with  attribution.  Being  able  to  quickly 
understand  if  you  are  under  attack  and 
find  information  about  where  the  attack 
is  coming  from  and  who  it  might  target 
improves  both  immediate  and  future 
responses.  It’s  the  difference  between 
constant  reaction  (sometimes  considered 
practice)  and  steady  improvement. 

Done  right,  this  approach  improves 
the  entire  cycle  of  prevention,  detection 
and  response.  These  benefits  are  possible 
when  we  know  what  normal  looks  like. 

Identifying  Normal  in  an 
Age  of  Constant  Change 

“If  behavior  is  malicious,  the  only  way  to 
find  out  is  to  understand  normal,"  says 
Matt  Hathaway,  senior  product  manager 
at  Rapid! 

In  a  time  when  constant  change  is  the 
new  normal,  security’s  methods  have  to 
change  too.  When  I  asked  what’s  changed 
from  the  last  great  push  into  behavior 
profiling  in  the  '90s,  Hathaway  pointed 
out  that  a  key  element  is  looking  for  two 
or  more  indicators  instead  of  reliance  on  a 
single  behavior. 

For  example,  Hathaway  explained 
that  during  the  recent  response  over 
Heartbleed,  many  people  at  Rapid7  put 
in  an  all-nighter  (or  two).  In  previous  ap¬ 
proaches,  one  or  more  people  logging  into 
their  systems  at  odd  hours  of  the  evening 
would  be  a  flag  of  potential  misuse  or 
compromise. 

Current  technologies  are  able  to  take 
into  account  the  location,  timing  and  ac¬ 
tivities  of  multiple  people  and  use  that  to 
consider  if  the  behavior  is  deviating  from 
the  baseline  enough  to  warrant  action. 
And  they  learn-including  what  not  to 
learn— in  the  process. 

Hathaway  says  the  key  thing  to  look 
for  when  picking  a  system  is  its  ability  to 


drive  actionable  intelligence  instead  of 
just  a  series  of  alerts. 

Machine  Learning  With 
Human  Validation 

I’m  seeing  more  companies  incorpo¬ 
rate  machine  learning  and  data  science 
to  offer  better  solutions.  When  I  asked 
Hathaway  about  that,  he  explained 
that  Userlnsight,  the  new  program  from 
Rapid!  uses  a  blended  approach  of  ma¬ 
chine  learning  with  “the  right  touch  of 
human  validation.” 

What  caught  my  attention  was  the 
ability  to  build  on  the  experience  of  the 
metasploit  and  penetration  testing 
teams  and  incorporate  human  guidance 
into  the  overall  solution. 

Hathaway  pointed  out  that  relying  ex¬ 
clusively  on  machine  learning  “could  lead 
to  an  environment  of  unwanted  behavior 
included  in  the  baseline." 

In  the  process  of  learning,  some  things 
are  accepted,  while  others,  like  correlat¬ 
ing  user  accounts  to  specific  people,  may 
trigger  an  initial  manual  review. 

The  goal  of  any  solution  is  to  build  an 
accurate  understanding  of  what  is  normal 
in  your  organization  to  drive  actionable 
intelligence  when  something  isn’t  right. 

Focusing  on  People  to  Protect 
Systems  and  Information 

We  know  attackers  seek  credentials.  The 
more  we  do  to  profile  normal  behavior, 
the  more  likely  we  are  to  make  this  route 
of  attack  harder. 

The  importance  of  behavioral  profiling 
and  analysis  is  increasing.  The  good  news 
is  that  the  technology  is  improving,  too. 

Even  better,  emerging  solutions  are 
poised  to  provide  insights  and  guidance 
that  benefit  the  entire  cycle  of  preven¬ 
tion,  detection  and  response. 

This  is  another  opportunity  to  partner 
with  the  people  we  serve  and  make  their 
jobs  easier  by  protecting  the  systems  and 
information  we  all  rely  on. 

-Michael  Santarcangelo  is  the  founder 
of  Security  Catalyst 


INDUSTRY  CHATTER 
ON  TWITTER 

“Please  click  through 
this  unilateral 
NDA  to  enter  our 
premises.”  Umm,  no. 

-Andy  Ellis  @csoandy 

What  fresh  hell 
awaits  us  this  Monday 
morning?  Will  we  even 
be  lucky  enough  to  get 
afresh  hell,  or  will  it 
be  stale  again? 

-Jack  Daniel  @jack_daniel 

Most  of  the  “sky  is 
falling”  security  proc¬ 
lamations  regarding 
#loT  aren't  actually 
about  “security,”  but 
rather  “privacy.” 

-Hoff  @Beaker 

Being  against  things 
is  easy,  what  are  you 
for?  Or  how  are  you 
contributing/fixing/ 
enhancing  to  steer/ 
fuel  things  toward 
those? 

-Joshua  Corman  @joshcorman 
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Execs  Are  Clueless  and  Security  Pros  Are 
Uncertain  About  Ability  to  Fend  Off  Attacks 


attack  intelligence  to  get  a  better  under¬ 
standing  of  their  foes  and  how  to  defend 
against  them. 

“We  can  get  a  lot  better  at  what  we  do 
once  we  start  to  formalize  and  come  up 
with  an  acceptable  vetting  process  to  share 
information  between  organizations,”  De- 
brosse  says. 

Progress  toward  more  information  shar¬ 
ing  between  compannies  has  been  slow  due 
to  fears  that  rivals  would  use  the  data  for 
competitive  advantage,  experts  say.  Com¬ 
panies  often  require  layers  of  nondisclosure 
agreements  that  hamper  sharing  efforts. 

Government  information  is  also  hard  to 
get  due  to  fears  of  compromising  national 
security. 

Most  private  data  shared  today  is  be¬ 
tween  large  organizations  within  single 
industries.  In  2013,  President  Barack  Obama 
issued  an  executive  order  requiring  federal 
agencies  to  share  more  information  with 
critical  infrastructure  owners  and  opera¬ 
tors.  Efforts  in  that  area  are  ongoing. 

As  to  the  relationship  between  a  com¬ 
pany’s  leaders  and  its  security  pros,  eight  in  10  of  the  latter 
believe  upper-level  executives  do  not  equate  losing  confiden¬ 
tial  data  with  lost  revenue,  the  survey  found. 

Other  recent  Ponemon  research  has  found  that  the  aver¬ 
age  cost  of  a  data  breach  within  an  organization  is  $5.4  mil¬ 
lion.  But  despite  that  potential  loss,  nearly  half  of  survey 
respondents  said  board-level  executives  had  a  “sub-par  un¬ 
derstanding  of  security  issues.” 

Executives  often  do  not  have  a  grasp  on  the  state  of  de¬ 
fenses  in  an  organization  because  security  pros  will  describe 
problems  in  esoteric  terms,  Debrosse  says.  Security  techs  also 
tend  to  have  “a  bias  that  if  you  don’t  speak  my  techno-lingo, 
you  must  not  be  bright.” 

To  clear  this  hurdle,  both  sides  have  to  take  into  account 
each  other’s  expertise  in  solving  security  problems.  Execu¬ 
tives  have  to  get  a  fuller  understanding  of  the  risks  associ¬ 
ated  with  cyberattacks,  and  security  pros  need  to  focus  on 
the  cost-effectiveness  of  the  approaches  they  take  in  locking 
down  data.  -Antone  Gonsalves 


IT  SECURITY  PROS  LACK  CONFIDENCE  IN  THEIR 
ability  to  prevent  cyberattackers  from  stealing  high-value 
data,  and  they  say  upper  management  lacks  an  understand¬ 
ing  of  the  potential  losses,  a  global  study  shows. 

The  findings  of  the  survey,  which  was  sponsored  by  Web- 
sense  and  conducted  by  the  Ponemon  Institute,  point  less 
to  a  need  for  technology  and  more  to  a  lack  of  shared  intel¬ 
ligence  on  cyber  threats  and  poor  communications  among 
security  pros,  CEOs  and  board-level  executives,  says  Jeff  De¬ 
brosse,  director  of  security  research  for  Websense. 

The  survey  of  nearly  5,000  IT  security  pros  in  15  countries, 
including  the  U.S.,  found  that  roughly  six  in  10  respondents 
were  convinced  that  the  organizations  they  worked  for  were 
not  adequately  protected  against  advanced  cyberattacks.  A 
similar  percentage  of  respondents  felt  the  same  way  about 
stopping  the  theft  of  confidential  data. 

The  lack  of  confidence  is  expected,  given  that  no  security 
products  can  build  an  impenetrable  wall  against  attacks,  De¬ 
brosse  says.  To  bolster  confidence,  security  pros  should  share 
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What  skills,  background  and  education  does  a  security  executive 
need  if  they  want  their  career  to  evolve?  By  Bob  Violino 


WHAT  DOES  THE  FUTURE  HOLD  FOR  EN- 
terprise  security?  What  will  programs,  roles,  tech¬ 
nologies  and  policies  look  like  in  five  years  or  so? 

Prognosticating  can  be  tricky,  especially  in  such 
a  fast-changing  digital  environment.  But  part  of 
the  security  executive’s  job  is  to  not  only  keep  up 
with  the  latest  developments,  but  also  to  anticipate 
what  might  come  next  so  companies  can  prepare 
to  handle  challenges. 

CSO  interviewed  security  executives  about 
the  future  and  where  they  see  their  discipline 
headed.  Here  are  some  of  the  major  trends  they 
expect  to  see. 


Changing  Role  of  the  Security  Officer 

There  will  be  a  continued  convergence  of  physical 
and  cybersecurity,  and  this  will  affect  the  role  of 
the  security  executive,  says  Roland  Cloutier,  CSO 
at  ADP,  a  provider  of  human  resources,  payroll,  tax 
and  benefits  administration  services. 

“The  management  [issues]  of  physical  investi¬ 
gatory  and  cybersecurity  functions  are  so  inter¬ 
related  that  it  just  makes  sense  to  have  a  single 
management  function  that  has  appropriate  trans¬ 
parency  and  oversight,”  Cloutier  says.  “We  will  still 
have  global  metrics  for  all  those  [security]  service 
areas  and  there  will  still  be  service  silos,”  but  they 
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will  all  be  managed  under  one  depart¬ 
ment,  he  says. 

“I  believe  that’s  where  the  [corporate 
security]  world  will  be  headed,  and  it’s 
already  in  the  nascent  stages,”  Cloutier 
says.  “This  has  been  a  topic  for  security 
executives  in  the  last  few  years,  but  now 
we’re  seeing  large  organizations  head¬ 
ing  down  that  path.” 

Many  companies  will  consolidate 
the  CSO  and  CISO  functions,  Cloutier 
says.  But  that  won’t  reduce  the  impor¬ 
tance  of  either  physical  or  cybersecu¬ 
rity,  and  the  people  in  that  role  will  need 
to  be  experts  in  all  aspects  of  security. 

Regardless  of  what  title  these  indi¬ 
viduals  hold,  the  important  factor  is 
that  all  security  and  risk  management 
will  be  under  one  roof.  “We  will  not 
have  competing  security  executives 
on  either  side  of  the  house,”  Cloutier 
says.  “You’ll  have  one  individual  or  en¬ 
tity  that  is  required  to  make  risk-based 
decisions  for  the  organization.” 

Future  security  leaders  will  be  more 
technically  inclined  than  they  are  today, 
Cloutier  predicts.  “We’ve  spent  a  lot  of 
time  saying  that  security  executives 
need  to  understand  the  business  or 
have  leadership  skills,”  he  says.  “But  I 
don’t  think  you  can  [perform]  this  role 
in  the  future  unless  you  have  an  incred¬ 
ible  knowledge  of  technology.” 

At  the  same  time,  security  chiefs  will 
need  to  assert  themselves  as  business 
leaders.  “As  the  C-suite  continues  to 


recognize  the  importance  of  security, 
and  that  it  must  be  an  integral  part 
of  holistic  business  strategy,  heads  of 
security  need  to  be  more  a  part  of  the 
decision-making  process  for  the  busi¬ 
ness  as  a  whole,”  says  Richard  Green¬ 
berg,  information  security  officer  at 
the  Los  Angeles  County  Department 
of  Public  Health. 

And  in  addition  to  security,  execu¬ 
tives  must  become  more  proficient  in 
data-privacy  matters.  “There  will  be 
more  interaction  between  privacy  and 
security,”  says  Jason  Taule,  chief  secu¬ 
rity  and  privacy  officer  at  FEI  Systems, 
a  provider  of  information  and  analyt¬ 
ics  services  for  government  entities 
dealing  with  behavioral  and  mental 
healthcare.  Personal  and  professional 
information  are  getting  harder  to  sepa¬ 
rate  as  more  and  more  companies  start 
using  social  media  and  big  data.  That 
blending  will  create  tension  that  could 
lead  to  more  legal  actions,  he  says. 

Companies  will  need  to  someone  in 
the  role  of  chief  privacy  officer,  and  this 
person  should  probably  be  the  same  as 
the  top  security  officer,  Taule  says,  be¬ 
cause  guarding  privacy — whether  it’s 
that  of  employees  or  customers — is  so 
closely  linked  to  protecting  data. 

“I  do  think  the  security  officer’s  job 
will  become  increasingly  about  privacy 
because  we  need  to  ensure  the  actions 
we  take  do  not  infringe  on  the  rights  of 
data  owners,  especially  when  the  data 


“Those  that  look  deeply  into 
information  [resources]  and  make 
sense  of  it,  and  leverage  big  data, 
analytics,  artificial  intelligence  and 
machine  learning,  will  be  the  big 
winners.”  -Roland  Cloutier,  CSO,  ADP 


in  question  has  been  entrusted  to  us 
for  safekeeping,”  Taule  says.  “Privacy 
is  just  another  question  of  risk.  And  the 
security  officer’s  job  is  about  managing 
different  kinds  of  risks.” 

Changing  Roles  Within 
Security  Departments 

New  security  job  functions  will  emerge 
in  the  coming  years  as  organizations 
place  greater  emphasis  on  areas  such 
as  cloud  computing,  mobile  technology 
and  big  data. 

“As  more  infrastructure  and  solu¬ 
tions  move  to  the  cloud,  job  functions 
required  to  manage  this  will  be  differ¬ 
ent  then  what  we  traditionally  have 
seen,”  Greenberg  says.  “More  project 
managers  will  need  to  be  hired  at  com¬ 
panies  as  more  security  jobs  migrate 
to  the  cloud.” 

“We  will  see  cool  new  names  like  data 
security  scientist  and  cloud  control  en¬ 
gineer  or  analyst,”  Cloutier  says.  “But 
we  need  to  define  what  these  functions 
mean,  prioritize  them  and  start  finding 
people”  to  fill  these  roles. 

In  some  cases,  companies  will  opt  to 
convert  existing  positions  into  these 
new  functions,  Cloutier  says.  For  exam¬ 
ple,  they  might  retrain  a  firewall  techni¬ 
cian  to  be  a  cloud  control  engineer. 

Some  observers  expect  to  see  a  dra¬ 
matic  shift  in  the  role  of  the  security 
department  itself  and  its  relationship 
with  other  functions. 

“We  will  see  corporate  security  be¬ 
come  a  merger  between  IT  security, 
[human  resources]  security,  facilities 
security  and  operational  security,”  says 
Michael  Daly,  director  of  IT  security 
services  and  deputy  CISO  at  technol¬ 
ogy  giant  Raytheon. 

“And  these  will  be  part  of  a  larger 
shared  services  function  at  the  corpo¬ 
rate  level,  supporting  all  of  the  com¬ 
pany’s  businesses,”  Daly  says. 

“This  is  driven  by  cost  and  effi¬ 
ciency,  but  also  by  the  convergence  of 
technologies  that  support  these  func¬ 
tions  as  well  as  the  leverage  gained  by 
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“We  take  do  not  infringe  on  the 
rights  of  data  owners,  especially 
when  the  data  in  question 
has  been  entrusted  to  us  for 
safekeeping.”  -Jason  Taule,  Chief 
Security  and  Privacy  Officer,  FEI  Systems 


business  analytics  built  from  their  con¬ 
verged  data  systems.” 

Analytics  and  the  Cloud 

Data  management  and  analytics  ca¬ 
pabilities  are  becoming  increasingly 
important  for  organizations  as  they 
accumulate  massive  stores  of  informa¬ 
tion  from  a  growing  number  of  sources. 

“We  hope  to  gain  much-improved 
predictive  capability  from  threat  ana¬ 
lytics  built  on  access  to  community  and 
enterprise  data,”  Daly  says.  “We  also 
anticipate  big  gains  in  our  privileged 
user  and  insider  threat  monitoring  as  a 
result  of  improved  behavioral  sensing 
and  analytics.” 

Expect  to  see  heavier  investments 
in  monitoring,  alerting  and  response 
capabilities  that  use  big-data  analytics 
to  significantly  shorten  response  times, 
says  James  Beeson,  CISO  and  IT  risk 
leader  at  commercial  finance  provider 
GE  Capital  Americas.  IT  security  will 
become  “much  more  behavior- analysis 
driven,”  Beeson  says. 

The  leading  security  organizations 
“will  be  the  ones  that  are  well  informed, 
that  have  the  ability  to  look  broadly 
across  not  just  the  security  technolo¬ 
gies  they  hold,  but  the  business  func¬ 
tions,  transactions  and  applications 
across  the  organization,”  Cloutier  says. 

“Those  that  look  deeply  into  infor¬ 
mation  [resources]  and  make  sense 
of  it,  and  leverage  big  data,  analytics, 
artificial  intelligence  and  machine 


learning  will  be  the  big  winners.” 

Those  organizations  will  be  more 
likely  to  maintain  the  integrity  of  their 
networks,  will  have  abetter  understand¬ 
ing  of  security  trends  and  will  be  able  to 
make  security-related  decisions  using 
real-time  information,  Cloutier  says. 

Cloud-based  services  will  help  com¬ 
panies  manage  and  use  big  data  sets, 
Cloutier  says.  Because  some  cloud 
service  providers  will  have  expertise 
in  areas  such  as  reverse  malware  engi¬ 
neering,  companies  that  use  these  ser¬ 
vices  will  not  need  to  have  these  skills 
internally,  he  says,  which  cuts  costs. 
Companies  will  just  need  to  send  mal¬ 
ware  data  to  the  service  provider,  which 
will  quickly  review  the  data  and  send 
back  results. 

“The  cloud  has  enabled  us  as  secu¬ 
rity  practitioners  to  do  some  innova¬ 
tive  things  with  our  resources  without 
growing  them,”  Cloutier  says.  But  while 
big  data,  analytics  and  the  cloud  will 
help  organizations  in  their  security  ef¬ 
forts,  they  also  present  new  potential 
security  threats  on  their  own,  he  says. 
Companies  will  need  to  work  with  ven¬ 
dors  to  develop  effective  ways  to  protect 
massive  stores  of  data  that  are  housed 
both  on-premise  and  in  the  cloud. 

Greater  Focus  on  Data  Protection 

Information  security  in  the  future  will 
be  much  more  focused  on  protecting 
data  than  on  trying  to  create  protective 
perimeters  around  organizations  in 


which  information  resides  on  a  dizzy¬ 
ing  array  of  devices  that  are  frequently 
in  motion,  Taule  says. 

This  trend  has  already  begun,  Taule 
says,  with  companies  moving  away 
from  the  concept  of  establishing  set 
boundaries  to  protect  themselves. 
“We’re  continuing  to  the  point  where 
the  only  way  to  get  a  handle  on  this  is  to 
reassert  the  boundary,  not  at  the  edge 
of  the  network”  but  at  the  place  where 
the  data  lives  regardless  of  how  it’s 
accessed — whether  it’s  via  a  desktop 
computer,  laptop,  smartphone,  tablet, 
voice  over  IP  phone,  IP  video  camera  or 
any  other  type  of  system,  he  says. 

Trends  such  as  bring  your  own  de¬ 
vice  and  bring  your  own  anything  are 
making  it  much  more  difficult  to  rely 
on  network  firewalls  to  protect  against 
security  breaches. 

“The  idea  of  trying  to  put  a  [single] 
boundary  around  all  that  is  insane,” 
Taule  says.  “It’s  no  longer  about  put¬ 
ting  a  boundary  around  the  network, 
but  around  the  data”  a  company  is  try¬ 
ing  to  protect. 

Enterprises  will  rely  increasingly 
on  technologies  that  enable  them  to 
identify  which  individuals  should  be 
able  to  access  which  types  of  data  and 
when,  Taule  says.  Identification  and 
authorization  is  becoming  ever  more 
important  in  an  increasingly  mobile 
environment,  as  organizations  need  to 
know  they  can  trust  that  a  user  is  who 
he  says  he  is. 

Emerging  data-  and  activity-man¬ 
agement  tools  will  allow  companies 
to  build  profiles  about  users  and  track 
typical  patterns  of  activity  and  usage, 
Taule  says.  This  will  help  them  spot 
anomalies  that  might  indicate  a  poten¬ 
tial  data  breach,  much  like  credit  card 
companies  do  today,  he  says.  Tech¬ 
nology  such  as  desktop  virtualization, 
which  gives  organizations  more  cen¬ 
tralized  control  of  the  security  of  indi¬ 
vidual  devices,  will  also  help,  he  says. 

“A  big  reason  for  using  virtualization 
is  the  challenge  of  managing  lots  of  im- 
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Back  to  School 

We  asked  five  executives  what  they  wish  they- 
or  their  colleagues-couid  learn  more  about 


Michael  Cox 

Chief  privacy  officer,  Pathway 

Genomics 

I’m  interested  in 
participating  in 
research  into  the 
psychology  of 
privacy,  specifically  delving  into 
the  study  of  individuals’ 
expectations  around  data 
sensitivity  and  their  rights 
relative  to  various  data 
sensitivity  levels. 

Currently,  U.S.  privacy  laws 
and  regulations  do  not  techni¬ 
cally  incorporate  data  sensi¬ 
tivity  into  their  requirements. 
One  exception  is  that  the  new 
HIPAA  Omnibus  Final  Rule 
requires  that  data  sensitiv¬ 
ity  be  considered  as  a  part  of 
a  four-factor  risk  analysis  to 
determine  whether  a  data  com¬ 
promise  is  a  reportable  breach. 

I’m  excited  to  have  recently 
been  invited  to  participate  in 
a  think  tank  at  Lares  Institute, 
founded  by  Andy  Serwin,  one  of 
the  nation’s  top  privacy  lawyers. 


Lares  has  already  done  some 
early  research  that  supports 
the  notion  that  individuals  con¬ 
sider  some  types  of  personally 
identifiable  information  more 
sensitive  than  others. 

What  do  I  expect  to  get  out 
of  this?  The  idea  is  to  establish 
sufficient  justification  to  rank 
data  into  a  sensitivity  classi¬ 
fication  scheme,  which  would 
facilitate  a  risk-based  ap¬ 
proach  to  data  governance  and 
management. 

For  example,  highly  sensitive 
data  would  require  the  stron¬ 
gest  governance  oversight  and 
security  protections,  including 
layers  of  preventive  and  detec¬ 
tive  controls.  Governance  and 
security  protections  would  be 
reasonably  and  appropriately 
adjusted  for  sensitive  and  less- 
sensitive  data  levels. 

As  a  risk  management  pro¬ 
fessional,  I'm  a  big  believer  in 
a  risk-based  approach  being 
more  protective  of  individu¬ 
als  and  organizations  than 


check-the-box  compliance.  As  a 
privacy  professional,  this  is  an 
opportunity  to  ensure  we  are 
meeting  individual  expecta¬ 
tions  as  well  as  possibly  influ¬ 
encing  regulatory  change. 


Jodie  Swafford 

CSO  and  IT  infrastructure  di¬ 
rector,  Clayton  Homes 

I  believe  partnering 
with  HR  and  legal 
are  among  the 
most  important 
relationships  you  can  have  as  a 
CSO-learning  the  challenges 
they’re  facing,  the  in  and  outs 
of  their  job,  how  technology  is 
being  used  in  society,  and 
ultimately  what  impact  it  has 
on  your  business  and 
employees. 

Additionally,  all  businesses 
face  regulatory  changes  and 
e-discovery  requests,  which 


directly  impact  these  groups. 
It’s  our  job  as  technologists  and 
risk  advisers  to  be  plugged  in 
to  these  challenges  and  assist 
however  we  can. 

As  a  technical  student,  I  like 
the  interplay  between  stock 
technical  analysis  and  security 
information  and  logs.  You’re 
trying  to  identify  baselines  and 
areas  of  support  and  resistance, 
spot  anomalous  activity,  and 
ultimately  decide  whether  a 
trend  needs  to  be  investigated 
further.  Honing  these  skills  in 
is  rewarding  and  intellectually 
challenging. 


Michael  Daly 
Deputy  CISO  and  director  of  IT 
security  services,  Raytheon 

When  I  interview 
people  for  a 
position,  the  most 
important  question 


ages  across  lots  of  workstations,”  Taule 
says.  FEI  Systems  has  begun  deploying 
desktop  virtualization  and  in  the  future 
will  take  it  to  new  levels,  he  says. 

“From  an  application  standpoint, 
we’re  working  with  a  [vendor]  to  main¬ 
tain  a  continuously  secure  compute 
platform  by  constantly  tearing  down 
and  rebuilding  applications,  so  that  any 
poisoning  or  backdoors  have  no  persis¬ 
tence,  as  the  environment  is  restored 
anew  on  an  ongoing  basis,”  Taule  says. 

The  focus  on  providing  security  from 
a  data  standpoint  will  only  grow  in  the 


coming  years  as  the  Internet  of  Things 
becomes  more  of  a  reality. 

“We  going  to  start  putting  refrigera¬ 
tors  and  cars  on  the  network,  so  there 
will  be  more  to  the  network  than  tra¬ 
ditional  computing  platforms,”  Taule 
says.  “There  is  a  lot  of  stuff  that  many 
may  not  be  aware  is  already  connected 
to  the  network,”  such  as  IP  cameras, 
embedded  systems  and  measuring 
devices.  “What’s  worse  is  that  vulner¬ 
abilities  exist  in  these  devices  too,  but 
they  are  often  ignored  and  efforts  to 
manage  risk  will  only  provide  a  false 


sense  of  security  as  long  as  unknown 
entry  points  persist.” 

Policy  and  Enforcement: 

Clearer  and  Tougher 

As  security  roles  evolve  in  the  future, 
so  too  will  corporate  security  policies, 
experts  say. 

“I  think  we  will  more  tightly  control 
access  to  ‘crown  jewel’  information  and 
more  loosely  control  everything  else, 
[  and  have  policies  and]  enforcement  to 
match  that,”  Beeson  says.  To  that  end, 
security  policies  will  require  that  only 
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I  ask  is  how  they  address  this 
issue  for  themselves  in  their 
own  lives.  What  are  you 
learning  about  this  week? 

How  do  you  keep  up?  What 
topics  do  you  think  are 
interesting  and  will  be 
important  for  your  job  in  the 
near  future?  What  is  of  interest 
to  you  but  not  necessarily  part 
of  your  likely  work? 

In  my  world  where  we  are 
concerned  with  the  conver¬ 
gence  of  intelligence  and  cyber¬ 
security,  data  is  king-big  data. 
Or  perhaps  it’s  more  appro¬ 
priate  to  think  of  data  as  the 
army  working  for  the  king.  To 
make  the  king  more  effective, 
we  need  battlefield  situational 
awareness  and  predictive  ana¬ 
lytics.  What  are  the  relation¬ 
ships  between  the  data,  what 
do  those  imply,  and  what  are 
the  likely  changes?  To  that  end, 
the  new  learning  is  in  statis¬ 
tics,  advanced  analytics  and 
graphing. 

Even  with  as  much  data 
as  we  have,  we  could  still  use 
more-new  data  sources  that 
help  us  better  understand  pat¬ 
terns  of  life,  tactics  and  tech¬ 
niques,  allow  us  to  know  which 
other  data  elements  are  the 


most  important.  So,  paradoxi¬ 
cally,  more  data  helps  us  deal 
with  the  data  glut. 

Another  area  of  learning  for 
cyber  professionals  is  in  the 
wide  array  of  sensors  measur¬ 
ing  our  lives  and  environments, 
and  the  platforms  to  which 
those  sensors  are  affixed,  from 
the  obvious  mobile  devices  and 
cameras,  to  power  control  sys¬ 
tems,  physical  access  systems, 
location  reporting  and  health 
meters.  Understanding  these 
will  allow  us  to  make  better  risk 
decisions  and  better  allocate 
our  resources. 

The  third  learning  focus  is 
in  geopolitics  and  world  news. 
It’s  fairly  obvious,  but  often 
ignored  by  technical  security 
professionals,  that  we  need  to 
know  what  is  happening  in  the 
world  around  us  to  extrapolate 
motivations  and  capabilities 
so  we  can  assess  risk  to  our 
enterprises. 


James  Beeson 


CISO  and  IT  risk  leader, 

GE  Capital  Americas 

Generally  speaking, 
I  would  tell  people 
to  learn  more  about 
finance.  I  would 


love  to  continue  to  gain 
knowledge  in  this  space. 

In  my  opinion,  the  language 
of  business— regardless  if 
you’re  talking  about  GE  or  a 
local  ice  cream  shop-is  finance. 
The  better  you  understand 
finance,  the  better  you’ll  be 
able  to  translate  and  com¬ 
municate  effectively  about 
infosec  to  business  leadership, 
because  you’ll  understand  their 
language. 

Economics  would  be  another 
area  I’d  like  to  know  much  more 
about.  I  think  that’s  another 
area  we  infosec  folks  should 
pay  much  more  attention  to 
than  we  do. 

For  example,  if  you  think 
about  the  Internet  growing  at  a 
current  rate  of  about  750,000 
net  new  people  every  single 
day,  this  is  750,000  potential 
bad  guys. 

If  you  factor  in  that  most 
of  that  growth  comes  from 
developing  countries,  and  due 
in  large  part  to  the  mobile 
device  explosion,  and  that  folks 
in  these  countries  barely  eke 
out  enough  money  to  buy  food 
and  make  way  less  than  people 
in  developed  countries,  you’d 
think  we’d  consider  that  in 


our  security  plans. 

By  nature  a  lot  of  malicious 
activity  is  bound  to  come  from 
these  areas. 

Roger  Johnston 

Head  of  the  vulnerability 
assessment  team,  Argonne 
National  Laboratory 

1.  Countermeasures 
to  cognitive 
dissonance  (CD) 
and  groupthink.CD 
and  groupthink  lead  to  all  kinds 
of  problems  in  business, 
government,  personal  lives  and 
security. 

2.  Dealing  with  multigenera- 
tional  employees.  The  cultures 
are  quite  different. 

3.  Dealing  with  multiple 
cultures  and  genders.  The 
world  is  going  global  and 
we  need  to  work  effectively 
with  people  not  very  much 
like  us. 

4.  How  education  is  chang¬ 
ing.  What  being  educated  will 
look  like  in  the  future.  What 
will  need  to  be  done  to  stay 
technically  current? 

5.  The  big  breakthrough 
technologies  coming  down  the 
road. 

-Bob  Violino 


“absolutely  identified”  users  be  granted 
any  access  to  these  critical  information 
assets,  and  even  that  will  be  limited  and 
highly  controlled,  he  says. 

Security  policies  in  the  future  will 
need  to  be  more  specific  in  terms  of 
how  users  should  and  should  not  be¬ 
have  online,  and  how  users  should  han¬ 
dle  sensitive  data  and  leverage  security 
technology,  Cloutier  says.  “We  have  to 
give  people  better  guidelines  and  use- 
case  scenarios,”  he  says.  “This  includes 
giving  them  how-to  [instructions]  in 
very  specific  environments,”  such  as 


cloud  services. 

“Due  to  a  heightened  awareness  of 
security  and  the  light  being  shined 
on  events  by  traditional  media,  gross 
noncompliance  will  not  be  tolerated,” 
Greenberg  says.  “Currently,  [corpo¬ 
rate]  culture  determines  how  infrac¬ 
tions  and  negligence  are  addressed, 
and  it  varies  widely  from  company  to 
company.” 

Some  companies  will  come  to  rely 
more  on  analytics  to  help  with  security 
and  compliance  enforcement. 

“Historically,  most  enforcement  has 


been  based  on  simple  binary  rules — 
Johnny  copied  a  document  that  should 
not  have  been  copied  to  a  USB  stick,” 
Daly  says.  “Financial  companies  have 
developed  more  complex  behavioral 
analytics  that  identify  possible  fraudu¬ 
lent  activity.  These  more  complex  rules, 
coupled  with  the  power  of  cloud  com¬ 
puting,  are  enabling  much  more  sen¬ 
sitive  policy  compliance  alerting  and 
enforcement.” 


■  Bob  Violino  is  a  freelance  writer  and  edi¬ 
tor.  Contact  him  at  bviolino@optonline.net. 
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Just  as  the  role  of  the  CSO  has  evolved,  so  too  has  the  security 
industry,  and  so  have  we.  This  is  our  final  print  issue  of  CSO 
magazine-we  will  now  be  found  exclusively  online.  We  promise  to 
continue  to  provide  you  with  informative,  timely  security  features, 
news  and  analysis  each  month  on  our  website,  www.csoonline.com 

Let’s  keep  evolving  together! 
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Howard  Evans 

CYBERSECURITY  OFFERING 
MANAGER,  MANAGED 
SECURITY  SERVICES  FOR 
CLOUD,  CSC 

Howard  Evans  is  responsible 
for  the  management,  evolu¬ 
tion,  and  lifecycle  of  CSC's 
Cybersecurity  Cloud  Managed 
Security  Services  (MSS),  from 
governance  and  rollout  to 
retirement. 


FOR  MORE  INFORMATION  on 

CSC  Global  Cybersecurity,  visit  us  at 

www.  esc.  com/cy  bersecu  rity 
or  for  direct  contact,  email  CSC  at 

securitysolutions@csc.com 


CSO 

Strategic  Marketing  Services 


Extending  Enterprise  Security 
Governance  to  the  Cloud 

CSC  on  Risk  Management  and  Cloud-Based  Security 


Private  cloud  techniques  extend  the  protec¬ 
tion  of  corporate  governance  and  policies  to 
the  elasticity  of  a  cloud  platform—  but  that 
doesn’t  automatically  make  it  secure.  CSC 
explains  why  companies  still  need  to  adapt 
their  security  controls  to  protect  private 
cloud  environments. 

What  is  the  biggest  mistake  enterprises 
make  in  thinking  about  cloud  security? 

There's  a  perception  that  private  cloud,  as 
an  extension  to  data  center  physical  hosted 
environments,  is  inherently  more  secure  — 
but  cloud  isn’t  immune  to  risk  and  threat 
exposure.  Companies  need  to  manage  gover¬ 
nance,  compliance,  assurance,  and  visibility 


How  does  enterprise  security  need  to 
evolve  to  include  cloud  services? 

Some  aspects  of  the  business  are  lower 
risk,  while  others  are  extremely  high  value 
and  require  the  most  advanced  protection 
available.  At  the  same  time,  many  tools  are 
not  multi-tenant  aware,  and  many  products 
are  not  licensed  with  cloud  delivery  “as  a 
service”  in  mind.  Where  security  controls 
are  concerned,  organizations  need  an  evo¬ 
lutionary  approach  based  on  risk  appetite, 
and  as  needs  change,  security  services  must 
evolve  to  deliver  protection  at  differentiated 
levels  depending  on  where  they’re  needed 
most.  The  challenge  in  the  dynamic  environ¬ 
ment  of  the  cloud  is  to  ensure  that  policies, 


“...organizations  need  an  evolutionary  approach  based 
on  risk  appetite,  and  as  needs  change,  security  services 
must  evolve  to  deliver  protection  at  differentiated  levels 
depending  on  where  they're  needed  most.  ” 


in  the  evolving  threat  landscape.  Assuming 
a  cloud  is  safe  is  a  common  mistake.  People, 
processes  and  products  must  be  applied  to 
make  a  cloud  safe. 

What  is  the  greatest  cloud  security  pain 
point? 

Many  enterprises  already  have  a  security 
governance  framework  in  place  for  their 
traditional  environments,  but  are  now  faced 
with  incorporating  cloud-based  security  ele¬ 
ments  into  that  framework.  Security  controls 
that  work  fine  in  traditional  environments 
haven’t  evolved  or  even  been  considered  in 
the  context  of  the  more  dynamic  nature  of 
the  cloud.  You  still  need  patch  management, 
virus  protection,  vulnerability  scanning, 
logging,  in-depth  architectural  approaches 
to  protection,  and  application  security  in  the 
context  of  the  cloud.  Applying  encryption, 
identity  management,  logging  and  multi-ten¬ 
ant  safety  measures  are  some  of  the  harder 
areas  to  resolve.  One  must  tie  them  together 
in  a  cohesive,  multi-faceted  framework. 


standards,  and  guidelines  are  up  to  date  and 
reflect  how  customers  are  consuming  the 
cloud  infrastructure.  Remember,  clouds  are 
a  high  concentration  of  resources  so  they 
are  very  likely  targets.  Thus  continuously 
monitoring  a  cloud  environment  must  be  a 
part  of  the  evolution  when  moving  to  a  cloud 
business  and  technology  approach. 

How  can  organizations  align  their  cloud 
security  with  their  actual  risks? 

Automation  is  the  key.  Integrate  security 
controls  into  the  cloud  from  the  beginning. 
Audit  your  security  controls,  incorporate 
emerging  business  requirements  for  cloud 
adoption,  identify  any  gaps  to  be  mitigated, 
and  establish  a  continuous  assessment 
strategy  that  lets  your  security  posture  evolve 
in-line  as  business  requirements  change. 

CSC  Cybersecurity  Strategic  Consulting,  for 
example,  provides  a  practical,  flexible  strat¬ 
egy  that  takes  customers  from  their  current 
environment  to  their  desired  goal  state  based 
on  what  they’re  moving  to  the  cloud.  ■ 
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Unparalleled  Application  Performance 
with  Cisco  Servers. 

See  the  Proof:  cisco.com/servers 
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Database  Performance 
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For  more  performance  information,  visit  cisco.com/go/ucsbenchmarks. 

1.  Cisco  UCS  C220  M3  server  SPECjbb2013  Multi-JVM  score  of  62,393  max-jOPS,  23,505  critical-jOPS,  based  on  2-socket  x86-based  results  published  on  www.spec.org  as  of  1/1/2014.  SPEC ®  and  SPECjbb 9  are  registered  trade¬ 
marks  of  Standard  Performance  Evaluation  Corporation.  2.  Based  on  TPC  Benchmark  C  Results  on  2  Processor  Systems  as  of  1/1/2014.  Cisco  UCS  C240  M3  High-Density  Rack  Server  with  Oracle  Database  11  g  Release  2  Standard 
Edition  One,  1,609, 186.39  tpmC,  $0.47/tpmC,  available  9/27/12  compared  to  IBM  Power  780  Server  Model  91 79-MHB  with  IBM  DB2  9.5,  1,200,01 1.00  tpmC,  $0.69/tpmC,  available  10/13/10.  TPC  Benchmark  C®  is  a  trademark  of 
the  Transaction  Performance  Processing  Council  (TPC).  The  performance  results  described  here  are  derived  from  detailed  benchmark  results  available  at  http://www.spec.org  and  http://www.tpc.org  as  of  1-15-2013.  3.  Based  on  Cisco 
UCS  B200  M3  #1  score  of  1,017,639  employees  per  hour  on  the  Oracle  E-Business  Suite  R1 2  (12.1.3)  Extra-Large  Model  Payroll  Benchmark  as  of  1/1/2014.  Full  benchmark  report  available  at  http://www.oracle.com/us/solutions/ 
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